Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange behavior in ACL- have I been hacked?

I recently noticed a change in the access list for my 2600, which is used as a DSL firewall. I'm seeing IP addresses permitted that I didn't enter. When I try to either reload the ACL or deny those addresses, they get repopulated. Here's the ACL as stored in a text file:

no access-list 102

access-list 102 permit tcp any host 65.184.57.73 established

access-list 102 permit tcp 216.227.56.120 65.184.57.73 any

access-list 102 permit tcp 65.187.0.151 65.184.57.73 any

access-list 102 permit tcp any host 172.17.0.0 established

access-list 102 permit tcp 216.227.56.120 172.17.0.0 any

access-list 102 permit tcp 65.187.0.151 172.17.0.0 any

access-list 102 permit udp 216.227.56.120 172.17.0.0 any

access-list 102 permit udp 65.187.0.151 172.17.0.0 any

access-list 102 permit udp 216.227.56.120 65.184.57.73 any

access-list 102 permit udp 65.187.0.151 65.184.57.73 any

access-list 102 permit udp host 65.184.57.73 any eq 44444

access-list 102 permit udp host 65.184.57.73 any eq isakmp

access-list 102 permit esp host 65.184.57.73 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any redirect

access-list 102 permit icmp any any administratively-prohibited

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any source-quench

access-list 102 permit icmp any any unreachable

access-list 102 deny icmp any any log

access-list 102 deny ip 10.0.0.0 0.255.255.255 any log

access-list 102 deny ip 172.16.0.0 0.15.255.255 any log

access-list 102 deny ip 192.168.0.0 0.0.255.255 any log

access-list 102 deny ip host 65.184.57.73 any log

And here's what I get with a show run command immediately after entering the above commands:

Extended IP access list 102

permit tcp any host 65.184.57.73 established

permit tcp 152.67.0.48 65.184.57.73 any

permit tcp 0.3.0.150 65.184.57.73 any

permit tcp any host 172.17.0.0 established

permit tcp 80.226.56.120 172.17.0.0 any

permit tcp 65.170.0.151 172.17.0.0 any

permit udp 80.226.56.120 172.17.0.0 any

permit udp 65.170.0.151 172.17.0.0 any

permit udp 152.67.0.48 65.184.57.73 any

permit udp 0.3.0.150 65.184.57.73 any

permit udp host 65.184.57.73 any eq 44444

permit udp host 65.184.57.73 any eq isakmp

permit esp host 65.184.57.73 any

permit icmp any any echo-reply

permit icmp any any redirect

permit icmp any any administratively-prohibited

permit icmp any any time-exceeded

permit icmp any any source-quench

permit icmp any any unreachable

deny icmp any any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip host 65.184.57.73 any log

What's going on here? Even if I reload the router from tftp, I still get the same scenario, same addresses. Have I been hacked or is something else going on?

I'm relatively green about the finer points of router security...

Thanks!

Charlie Kaiser

4 REPLIES
noc
New Member

Re: Strange behavior in ACL- have I been hacked?

this is CBAC at work. Your router is creating rules for connections YOU are establishing from the inside to get out and back in. This is normal and is similar to the operation of a DMZ host in a firewall that needs to be able to send response packets to

connections (such as smtp, or www) from the internet.

Do you have ip inspect rules or something configured ?

New Member

Re: Strange behavior in ACL- have I been hacked?

Hi. Thanks.

No, I don't have inspect configured. It's just a simple initial acl. as soon as I enter the second line, the one that reads:

access-list 102 permit tcp 216.227.56.120 65.184.57.73 any, and then do a sh run, it changes it to:

access-list 102 permit tcp 152.67.0.48 65.184.57.73 any.

This happens even after a complete reload of the OS (newer version; went from 12.0(7)T to 12.1(1)) from Cisco to flash and wiped config and rebuilt it from scratch. No change.

the config build was done with no outside connection and the address still shows up. Also, the 0.3.0.150 address isn't a valid address. The other ones are unreachable.

Here's the complete running config, including the bad addresses in the ACL. I pasted the acl from the initial post into this config and this is what showed up immediately afterwards:

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname *********

!

enable secret 5

enable password 7

!

!

!

!

!

ip subnet-zero

!

ip dhcp pool dhcp1

network 172.17.0.0 255.255.255.0

dns-server 216.227.56.120 65.187.0.151

default-router 172.17.0.1

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

!

!

!

interface Ethernet0/0

ip address 65.184.57.73 255.255.255.252

ip access-group 102 in

ip nat outside

!

interface Serial0/0

no ip address

shutdown

!

interface Ethernet0/1

ip address 172.17.0.1 255.255.0.0

ip nat inside

!

ip nat translation dns-timeout never

ip nat pool ovrld 65.184.57.73 65.184.57.73 prefix-length 24

ip nat inside source list 1 pool ovrld overload

ip classless

ip route 0.0.0.0 0.0.0.0 65.184.57.74

no ip http server

!

access-list 1 permit 172.17.0.0 0.0.255.255

access-list 102 permit tcp any host 65.184.57.73 established

access-list 102 permit tcp 152.67.0.48 65.184.57.73 any

access-list 102 permit tcp 0.3.0.150 65.184.57.73 any

access-list 102 permit tcp any host 172.17.0.0 established

access-list 102 permit tcp 80.226.56.120 172.17.0.0 any

access-list 102 permit tcp 65.170.0.151 172.17.0.0 any

access-list 102 permit udp 80.226.56.120 172.17.0.0 any

access-list 102 permit udp 65.170.0.151 172.17.0.0 any

access-list 102 permit udp 152.67.0.48 65.184.57.73 any

access-list 102 permit udp 0.3.0.150 65.184.57.73 any

access-list 102 permit udp host 65.184.57.73 any eq 44444

access-list 102 permit udp host 65.184.57.73 any eq isakmp

access-list 102 permit esp host 65.184.57.73 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any redirect

access-list 102 permit icmp any any administratively-prohibited

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any source-quench

access-list 102 permit icmp any any unreachable

access-list 102 deny icmp any any log

access-list 102 deny ip 10.0.0.0 0.255.255.255 any log

access-list 102 deny ip 172.16.0.0 0.15.255.255 any log

access-list 102 deny ip 192.168.0.0 0.0.255.255 any log

access-list 102 deny ip host 65.184.57.73 any log

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx deny

!

line con 0

transport input none

line aux 0

line vty 0 4

password 7

login

!

no scheduler allocate

end

Thanks again for the help! After years of being pretty dang good with NT/MS gear, it stinks being clueless about something new :-)

noc
New Member

Re: Strange behavior in ACL- have I been hacked?

okay i see where you are going wrong..

access-list 102 permit tcp 216.227.56.120 65.184.57.73 any

your access-list to do what you want should be this..

access-list 102 permit tcp host 216.227.56.120 host 65.184.57.73

your access-list are being read by the router with the first part as the SOURCE and the second part as the WILDCARD MASK.. so if you did some really long binary math, your line you put is specifying something way off from what your trying to accomplish..

once more just for clarity.. in an extended ip access-list the config should be

access-list <100-199> EQ

basically if you want to allow IP SOURCE

HOST 10.1.1.1 to reach IP DESTINATION HOST 10.10.10.1 on any TCP port

YOUR ACCESS_LIST config should be

access-list 102 permit tcp host 10.1.1.1 host 10.10.10.1

"host" tells the access-list to use wild card mask 0.0.0.0 or 1 IP

if you were to specify

access-list 102 permit tcp 10.1.1.1 0.0.0.0 10.10.10.1 0.0.0.0

your config would appear as

access-list 102 permit tcp host 10.1.1.1 host 10.10.10.1

so in closing your access-list was written with incorrect entries for source/desination and it was changing it to what it was seeing using binary math..

an access-list uses wildcard masks (reverse of subnet masks) to range the source and destination addresses in an access-list so

a wildcard mask of 0.0.0.255 would equivalent to

255.255.255.0 subnet mask

a wildcard mask of 0.0.0.0 would be equivalent to

255.255.255.255

you should read a document on cisco's site about configuring access lists.

now i will fix up your access-list

no access-list 102

!= your lines, which were incorrect, everything else is okay !

*= lines i clarified so your know what your doing

access-list 102 permit tcp any host 65.184.57.73 established

* permitting all TCP traffic from ANY to 65.184.57.73 with ACK or

* RST FLAG SET (ESTAB CONN ONLY)

!

!access-list 102 permit tcp 216.227.56.120 65.184.57.73 any

access-list 102 permit tcp host 216.227.56.120 host 65.184.57.73

!access-list 102 permit tcp 65.187.0.151 65.184.57.73 any

access-list 102 permit tcp host 65.187.0.151 host 65.184.57.73

!access-list 102 permit tcp any host 172.17.0.0 established

!i think you want this ?

access-list 102 pemit tcp any 172.17.0.0 0.0.255.255 established

*this would let any estab tcp traffic hit 172.17.0.0 / 255.255.0.0

!access-list 102 permit tcp 216.227.56.120 172.17.0.0 any

access-list 102 permit tcp host 216.227.56.120 172.17.0.0 0.0.255.255

!access-list 102 permit tcp 65.187.0.151 172.17.0.0 any

access-list 102 permit tcp host 65.187.0.151 172.17.0.0 0.0.255.255

! access-list 102 permit udp 216.227.56.120 172.17.0.0 any

access-list 102 permit udp host 216.227.56.120 172.17.0.0 0.0.255.255

!access-list 102 permit udp 65.187.0.151 172.17.0.0 any

access-list 102 permit udp host 65.187.0.151 172.17.0.0 0.0.255.255

!access-list 102 permit udp 216.227.56.120 65.184.57.73 any

access-list 102 permit udp host 216.227.56.120 host 65.184.57.73

!access-list 102 permit udp 65.187.0.151 65.184.57.73 any

access-list 102 permit udp host 65.187.0.151 host 65.184.57.73

!access-list 102 permit udp host 65.184.57.73 any eq 44444

*i think you want UDP on port 44444 from any to reach host 65.184.57.73, right ?

access-list 102 permit udp any host 65.184.57.73 eq 44444

*same thing, i think host 65.184.57.73 is your destination

!access-list 102 permit udp host 65.184.57.73 any eq isakmp

access-list 102 permit udp any host 65.184.57.73 eq isakmp

*please tell us if this is your host.. otherwise it an access-list specifying what

*can speak on/to

!access-list 102 permit esp host 65.184.57.73 any

access-list 102 permit esp any host 65.184.57.73

!this part looks good... :)

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any redirect

access-list 102 permit icmp any any administratively-prohibited

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any source-quench

access-list 102 permit icmp any any unreachable

access-list 102 deny icmp any any log

!

access-list 102 deny ip 10.0.0.0 0.255.255.255 any log

access-list 102 deny ip 172.16.0.0 0.15.255.255 any log

access-list 102 deny ip 192.168.0.0 0.0.255.255 any log

*once again your source needs to come BEFORE your destination!..

!access-list 102 deny ip host 65.184.57.73 any log

*this denies and logs any non-permitted IP trying to talk to 65.184.57.73

access-list 102 deny ip any host 65.184.57.73 log

New Member

Re: Strange behavior in ACL- have I been hacked?

Great. Thanks! I'll work with this and see what happens.

104
Views
0
Helpful
4
Replies