Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4689
Views
0
Helpful
4
Replies

ACL's with the "established" command.

mvandeberg
Level 1
Level 1

‎08-06-2003 08:51 AM - edited ‎02-20-2020 09:22 PM

I have a general question about ACL's. If I have a web server and a mail server that I would like to restrict using acl's, can I permit port 80 on the web and ports 25 & 110 on the mail server, and allow for the Established command to let trusted return traffic back, then deny all other traffic? Example:

!web server

access-list 101 permit tcp any host x.x.x.x. eq 80

!mail server

access-list 101 permit tcp any host x.x.x.x. eq 25

access-list 101 permit tcp any host x.x.x.x. eq 110

!

access-list 101 permit tcp any any established

access-list 101 deny ip any any log

Since web and mail traffic gets initiated on a certain port, but return traffic could come back on all different ports (above 1024, of course) would this scenario work? Is the established command dangerous? Can hackers send packets with the ACK bit set already? Im kinda green on network security, and I have a very complex ACL on my network, and I would like to tighten it up to the point of what would be considered as industry standard security..

Thanks in advance for any replies from an ACL expert that has been in my shoes before.

Mike

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎08-06-2003 10:05 AM

Hi Mike,

If your talking router security then I'd recommend you read the following document from NSA:

http://www.nsa.gov/snac/index.html

and lookup cisco security.

Hope this helps --

0 Helpful

l.mourits
Level 5
Level 5

‎08-07-2003 03:56 AM

Hi,

Using the established command can drill security holes in your PIX, so, it isn't recommended to do so.

In your case there is no need to configure established command for returning traffic, in fact ASA will let returning packets through based on the created connected state (statefull inspection).

Tricky thing is that often engineers try to test the connection using ICMP (ping command) and ICMP is not handled by ASA, and so many think that returning traffic is blocked. But again, this is not the case.

ASA handles returning traffic, and when ASA determines that it is an existing flow (in other words: established connection) it will not match the packet against the ACL bound to the interface, but let the packet through immediatly.

Hope this helps,

Kind Regards,

Leo

0 Helpful

mvandeberg
Level 1
Level 1
In response to l.mourits

‎08-07-2003 05:53 AM

Thanks for the reply, but I should have been more specific. This is just a standard ACL for a 2621 router running the IOS firewall.

I decided to test the "established" command on the mail server and it seems to work fine. Also, I found that all I need to do is open port 80 on the web server, and it works fine. The problem is that a mail server must connect to other mail servers at port 25 for outgoing mail, but the return traffic from the remote mail servers will come back on anything above 1024. If I just open 25 and then deny any, it wont work.

So, with this in mind, is it more secure to use the "established" command or just plain open up everything above 1024?

For example:

access-list 101 permit tcp any host x.x.x.x eq 25

access-list 101 permit tcp any host x.x.x.x eq 110

access-list 101 permit tcp any host x.x.x.x established

access-list 101 deny ip any host x.x.x.x log

or:

access-list 101 permit tcp any host x.x.x.x eq 25

access-list 101 permit tcp any host x.x.x.x eq 110

access-list 101 permit tcp any host x.x.x.x gt 1024

access-list 101 deny ip any host x.x.x.x log

Or am I completely off base on how to secure a mail server using the ACL? I know the IOS Firewall has the capability of handling SMTP using CBAC, But my mail server is running ESMTP, which CBAC wont work with, according to the IOS Firewall manual.

Thanks again for any replies,

Mike

0 Helpful

jmia
Level 7
Level 7
In response to mvandeberg

‎08-07-2003 06:53 AM

Hi - the following URL's will help you and the post from 'wolfrikk' who gives a good explanation -

http://www.cisco.com/warp/public/110/mailserver.html

http://www.microsoft.com/exchange/en/55/help/default.asp?url=/exchange/en/55/help/documents/server/xog05031.htm

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/msexchng.htm

http://www.brienposey.com/kb/connecting_to_Exchange_through_a_firewall.asp

http://support.microsoft.com/default.aspx?scid=kb;en;155831

First you need to create a static mapping to your Exchange Server.

static (inside,outside)

next you will need to create an access-list to allow SMTP traffic and possible POP3 traffic if you are using it.

access-list 100 permit tcp any eq 25

access-list 100 permit tcp any eq 110

If you run into problems with ESMTP (which the PIX does not support), you can disable it by using the following command

no fixup protocol smtp 25

I have not run into many problems where I had to disable the SMTP Fixup, but I know there are issues where that is the fix.

_____________________________________________________

Hope this helps --

0 Helpful
Customers Also Viewed These Support Documents