I recently noticed a change in the access list for my 2600, which is used as a DSL firewall. I'm seeing IP addresses permitted that I didn't enter. When I try to either reload the ACL or deny those addresses, they get repopulated. Here's the ACL as stored in a text file:
no access-list 102
access-list 102 permit tcp any host 65.184.57.73 established
access-list 102 permit tcp 216.227.56.120 65.184.57.73 any
access-list 102 permit tcp 65.187.0.151 65.184.57.73 any
access-list 102 permit tcp any host 172.17.0.0 established
access-list 102 permit tcp 216.227.56.120 172.17.0.0 any
access-list 102 permit tcp 65.187.0.151 172.17.0.0 any
access-list 102 permit udp 216.227.56.120 172.17.0.0 any
access-list 102 permit udp 65.187.0.151 172.17.0.0 any
access-list 102 permit udp 216.227.56.120 65.184.57.73 any
access-list 102 permit udp 65.187.0.151 65.184.57.73 any
access-list 102 permit udp host 65.184.57.73 any eq 44444
access-list 102 permit udp host 65.184.57.73 any eq isakmp
access-list 102 permit esp host 65.184.57.73 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any redirect
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any unreachable
access-list 102 deny icmp any any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip host 65.184.57.73 any log
And here's what I get with a show run command immediately after entering the above commands:
Extended IP access list 102
permit tcp any host 65.184.57.73 established
permit tcp 152.67.0.48 65.184.57.73 any
permit tcp 0.3.0.150 65.184.57.73 any
permit tcp any host 172.17.0.0 established
permit tcp 80.226.56.120 172.17.0.0 any
permit tcp 65.170.0.151 172.17.0.0 any
permit udp 80.226.56.120 172.17.0.0 any
permit udp 65.170.0.151 172.17.0.0 any
permit udp 152.67.0.48 65.184.57.73 any
permit udp 0.3.0.150 65.184.57.73 any
permit udp host 65.184.57.73 any eq 44444
permit udp host 65.184.57.73 any eq isakmp
permit esp host 65.184.57.73 any
permit icmp any any echo-reply
permit icmp any any redirect
permit icmp any any administratively-prohibited
permit icmp any any time-exceeded
permit icmp any any source-quench
permit icmp any any unreachable
deny icmp any any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip host 65.184.57.73 any log
What's going on here? Even if I reload the router from tftp, I still get the same scenario, same addresses. Have I been hacked or is something else going on?
I'm relatively green about the finer points of router security...
this is CBAC at work. Your router is creating rules for connections YOU are establishing from the inside to get out and back in. This is normal and is similar to the operation of a DMZ host in a firewall that needs to be able to send response packets to
connections (such as smtp, or www) from the internet.
Do you have ip inspect rules or something configured ?
This happens even after a complete reload of the OS (newer version; went from 12.0(7)T to 12.1(1)) from Cisco to flash and wiped config and rebuilt it from scratch. No change.
the config build was done with no outside connection and the address still shows up. Also, the 0.3.0.150 address isn't a valid address. The other ones are unreachable.
Here's the complete running config, including the bad addresses in the ACL. I pasted the acl from the initial post into this config and this is what showed up immediately afterwards:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname *********
!
enable secret 5
enable password 7
!
!
!
!
!
ip subnet-zero
!
ip dhcp pool dhcp1
network 172.17.0.0 255.255.255.0
dns-server 216.227.56.120 65.187.0.151
default-router 172.17.0.1
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 65.184.57.73 255.255.255.252
ip access-group 102 in
ip nat outside
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 172.17.0.1 255.255.0.0
ip nat inside
!
ip nat translation dns-timeout never
ip nat pool ovrld 65.184.57.73 65.184.57.73 prefix-length 24
ip nat inside source list 1 pool ovrld overload
ip classless
ip route 0.0.0.0 0.0.0.0 65.184.57.74
no ip http server
!
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 102 permit tcp any host 65.184.57.73 established
access-list 102 permit tcp 152.67.0.48 65.184.57.73 any
access-list 102 permit tcp 0.3.0.150 65.184.57.73 any
access-list 102 permit tcp any host 172.17.0.0 established
access-list 102 permit tcp 80.226.56.120 172.17.0.0 any
access-list 102 permit tcp 65.170.0.151 172.17.0.0 any
access-list 102 permit udp 80.226.56.120 172.17.0.0 any
access-list 102 permit udp 65.170.0.151 172.17.0.0 any
access-list 102 permit udp 152.67.0.48 65.184.57.73 any
access-list 102 permit udp 0.3.0.150 65.184.57.73 any
access-list 102 permit udp host 65.184.57.73 any eq 44444
access-list 102 permit udp host 65.184.57.73 any eq isakmp
access-list 102 permit esp host 65.184.57.73 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any redirect
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any unreachable
access-list 102 deny icmp any any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip host 65.184.57.73 any log
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx deny
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7
login
!
no scheduler allocate
end
Thanks again for the help! After years of being pretty dang good with NT/MS gear, it stinks being clueless about something new :-)
your access-list are being read by the router with the first part as the SOURCE and the second part as the WILDCARD MASK.. so if you did some really long binary math, your line you put is specifying something way off from what your trying to accomplish..
once more just for clarity.. in an extended ip access-list the config should be
access-list <100-199> EQ
basically if you want to allow IP SOURCE
HOST 10.1.1.1 to reach IP DESTINATION HOST 10.10.10.1 on any TCP port
so in closing your access-list was written with incorrect entries for source/desination and it was changing it to what it was seeing using binary math..
an access-list uses wildcard masks (reverse of subnet masks) to range the source and destination addresses in an access-list so
a wildcard mask of 0.0.0.255 would equivalent to
255.255.255.0 subnet mask
a wildcard mask of 0.0.0.0 would be equivalent to
255.255.255.255
you should read a document on cisco's site about configuring access lists.
now i will fix up your access-list
no access-list 102
!= your lines, which were incorrect, everything else is okay !
*= lines i clarified so your know what your doing
access-list 102 permit tcp any host 65.184.57.73 established
* permitting all TCP traffic from ANY to 65.184.57.73 with ACK or
* RST FLAG SET (ESTAB CONN ONLY)
!
!access-list 102 permit tcp 216.227.56.120 65.184.57.73 any
