Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Perimeter interface ACL

I want to lock down my router that connects to the cable modem. Now, I thought it would be simple to just block everything incoming via an ACL, but as soon as I applied the below ACL, even the clients that are being NAT'd couldn't get to the internet. This router is performing NAT for the internal network, as well as terminating client/network IPSEC tunnels. Any ideas on how to approach this?

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

! Prevent LAND Attack

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

40 REPLIES

Re: Perimeter interface ACL

Hello Robert,

The situation with the routers is that they cannot perform stateful inspection by default ( like an ASA firewall) so you need to create an access-control entry for all the connections you want to allow from the outside to the inside, even if they are a reply from a connection initiated on the inside of your network.

Do you see my point here?

So for example there is one workaround on this, you can create a reflexive access-list  on the inside interface of your router so the replies for request or packets being sent from the inside to the outside are allowed by default no matter what access-list is applied on the oustide interface.

The reflexives access-list work with the tcp protocol, so for example if you want to allow internet access and you are using a public dns ( UDP/53) the reflexive access-list will not work for that protocol  (UDP) so you will need to permit that traffic on the outside interface.

Here is a link if you want to go deeper with this particular feature

http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/screflex.html#wp3627

Please rate helpful posts.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Cisco Employee

Perimeter interface ACL

Hi Robert,

Rememeber that this is not stateful firewall. Hence, you will need to permit the return traffic from the internet on port 80 to your clients.

Something to continue using this ACL but still permit anything from inside network to outside, you can apply CBAC (some sort of reflective acl) which will allow packets to return if the sessions were created on a trusted interface.

You can do the following (assuming the acl is applied on the interface that connects to the internet)

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

Get into the interface and put the following command:

ip inspect FW out

Then apply the ACL and let me know how it goes.

Mike

Mike
New Member

Re: Perimeter interface ACL

OK, I think I'm following you. Apply the ACL on the exterior int.

int f0/0 <<<----one going to cable modem

ip access-group 151 in

Then create the inspect rules (this is how I came across the ACL in the first place is trying to implement the inspect rules)

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

Then go back to int f0/0

ip inspect FW out

About right? This would allow any traffic sourcing from inside the network (either from the routers crypto map sessions or a client on the LAN) to go out and come back in because it came from inside first.

Cisco Employee

Perimeter interface ACL

Not quite right for router traffic.

Traffic initiating from the inside subnet, the return traffic would be allowed without the need to explicitly permit it on the ACL.

You may need to allow IPsec and tunnel protocols on the ACL itself  for the router to build the tunnels correctly (I dont think it much as a security problem since Phase 1 and two needs to be completed for the VPN to work)

The rest is fine.

Let me know if you have doubts.

Mike

Mike
New Member

Re: Perimeter interface ACL

OK, it worked. Nothing internally died (knock on wood). Now, I can't test it right now, but I am assuming remote VPN clients will not be able to connect now. This router serves them as well. How do I allow them in? Would it be something like the below at the top of the ACL?

access-list 151 permit udp any eq 500 any

Cisco Employee

Perimeter interface ACL

Hey,

Not quite, it would be more like allowing them to connect to the router, so it would be like this:

Access-list 151 permit udp any eq 500.

access-list 151 permit udp any eq 4500 (in case the devices are behind nat)

access-list 151 permit esp any (for encrypted traffic)

The access list you are applying is inbound, nothing outbound, so the reply of the from the router wont be dropped by this ACL.

Let me know your inputs.

Mike

Mike
New Member

Perimeter interface ACL

Problem is, my ip is dynamic.

Cisco Employee

Perimeter interface ACL

Thats an issue, do you have DDNS configured?

Mike

Mike
New Member

Re: Perimeter interface ACL

Ironically, I do. I'm running the windows client on a junk desktop on the LAN.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Cisco Employee

Perimeter interface ACL

Mmmm

From the top of my head, you can put the fqdn thereon the acl and configure a dns server on the router so it can query the dns server everytime the name changes...

That can work.

Mike

Mike
New Member

Perimeter interface ACL

Ok, that might just work. I will give it a shot tomorrow and see what happens. I'll let you know. Thanks Mike!

Cisco Employee

Perimeter interface ACL

Sure... let me know if you need any help tomorrow.

Mike

Mike
New Member

Re: Perimeter interface ACL

Mike,

     I added the modified ACL and it killed my IPSEC tunnels. I didn't try the client tunnels, but the network ones died and didn't come back up. Below is what I used. Don't really see why it didn't work.

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

access-list 150 permit udp any host 10.dyndns-at-home.com eq 500

access-list 150 permit udp any host 10.dyndns-at-home.com eq 4500

access-list 150 permit esp any host 10.dyndns-at-home.com

! Prevent LAND Attach

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

New Member

Re: Perimeter interface ACL

OK, caviot to the previous message. I added the below to the list and the tunnels (for the most part came back up).

access-list 150 permit udp any host 10.dyndns-at-home.com eq isakmp

However, I lost the ability to ping the other sides router, even though I can browse to it's web gui and anything on that network (weird?). Also, the below command shows me nothing so I have no way of monitoring the tunnels.

show crypto isakmp sa

I don't understand why I lost ping to one interface on the other side (Its an RVS4000 so the VLAN 1 interface) and my crypto status is blank. All because of an ACL? For giggles, I rebooted the router. To make things even more complicated, the interface wouldn't pull an IP from the modem until I removed the ACL.

Cisco Employee

Re: Perimeter interface ACL

Well,

ICMP is not permitted to come back. Remember that traffic generated from the router is not subject to inspection (unless the keyword router-traffic is included). For that you will need to add one more acl that allow icmp to that specific domain.

Permit icmp any host 10.dyndns-at-home.com echo-reply

That way it will be permitted. Remember to put it on the first lines to avoid the final deny ip any any.

Let me know.

Mike

Mike
New Member

Re: Perimeter interface ACL

Yeah, I ended up editing it more than that. Below is what I have so far. It seemed that it was just too locked down for anything to get through. Do you recommend adding or changing anything? Everything works right now, knock on wood.

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

access-list 150 permit udp any any eq bootpc

access-list 150 permit udp any any eq bootps

access-list 150 permit udp any eq bootps any eq bootpc

access-list 150 permit udp any host 10.dyndns-at-home.com eq 500

access-list 150 permit udp any host 10.dyndns-at-home.com eq 4500

access-list 150 permit udp any host 10.dyndns-at-home.com eq isakmp

access-list 150 permit esp any host 10.dyndns-at-home.com

access-list 150 permit icmp any any echo-reply

access-list 150 permit icmp any any time-exceeded

access-list 150 permit icmp any any unreachable

access-list 150 permit icmp any any packet-too-big

access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit udp host proxy.sip-ua.com host 10.dyndns-at-home.com

! Prevent LAND Attach

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny ip any any log

Robert

Cisco Employee

Re: Perimeter interface ACL

I like it, however, I dont know what is the reason for this:

access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255

Nothing on the internet should come with those private IP addresses.

Mike

Mike
New Member

Re: Perimeter interface ACL

You are right. Here is the weird part. Those two LANs reside on a distant site that come across an IPSEC Tunnels (two tunnels). When I blocked those private addresses, I started noticing traffic from those IP’s were being blocked via the ACL. I just did a terminal monitor in a SSH at the router and the page was going nuts with blocks. The IP’s were legit and were trying to get to resources on my LAN. What is confusing is how would the interface even sees those ips if they are inside an encrypted tunnel.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Cisco Employee

Re: Perimeter interface ACL

Agree.

You were seeing drops for all that subnet or for certain hosts?

Mike

Mike
New Member

Re: Perimeter interface ACL

Certain hosts that I know were legit in the other LAN.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Cisco Employee

Re: Perimeter interface ACL

Mmm, alright.. all kind of traffic or certain?

What you can do is remove those lines, put the ip inspect log drop-pkt and check the logs for packets drops because of firewall.

Mike

Mike
New Member

Re: Perimeter interface ACL

Would this be internal log? I don’t have a server collecting logs yet.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Cisco Employee

Re: Perimeter interface ACL

If you put the command term mon on exec mode, the logs will appear on the current ssh/telnet session that you have, if you are in console, they should appear inmediatly with no command intervention.

Mike

Mike
New Member

Re: Perimeter interface ACL

OK, I took out the two lines allowing those privates in. I didn’t add the denys back at the bottom, but here is the message I am getting from one of my hosts.

list 150 denied tcp 192.168.16.6(36322) -> 192.168.1.253(5060), 1 packet

16.6 is an exchange server on lan side in Arkansas

1.253 is a call manager on my side in Arizona

I have a SIP trunk between the two for Exchange Voicemail

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Cisco Employee

Re: Perimeter interface ACL

Robert,

It could be due to the fact that this connection was not on the state table. That being said, try the following:

ip inspect name FW sip

Do you have this ACL 150 only applied on the outside interface in the inbound direction?

Mike

Mike
New Member

Re: Perimeter interface ACL

Yes, I already have the SIP rule turned on. And yes, it is applied

Ip access-group 150 in

That’s not the only thing appearing. I am seeing clients in Arkansas trying to connect to a printer on my end, as well as LDAP traffic trying to get to a server here as well.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Cisco Employee

Re: Perimeter interface ACL

What I meant was if this ACL was only applied to the outside interface, (trying to check if you had it applied elsewhere)

The ip inspect log drop-pkt should show you FW logs, the ones that you grabbed are regular ACLs.This is why I think there is another ACL that may be dropping the packets.

Mike

Mike
New Member

Re: Perimeter interface ACL

OK, I see. Where do I apply that statement at?

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Cisco Employee

Re: Perimeter interface ACL

At global configuration mode.

Mike

Mike
867
Views
0
Helpful
40
Replies
CreatePlease login to create content