08-06-2003 08:51 AM - edited 02-20-2020 09:22 PM
I have a general question about ACL's. If I have a web server and a mail server that I would like to restrict using acl's, can I permit port 80 on the web and ports 25 & 110 on the mail server, and allow for the Established command to let trusted return traffic back, then deny all other traffic? Example:
!web server
access-list 101 permit tcp any host x.x.x.x. eq 80
!mail server
access-list 101 permit tcp any host x.x.x.x. eq 25
access-list 101 permit tcp any host x.x.x.x. eq 110
!
access-list 101 permit tcp any any established
access-list 101 deny ip any any log
Since web and mail traffic gets initiated on a certain port, but return traffic could come back on all different ports (above 1024, of course) would this scenario work? Is the established command dangerous? Can hackers send packets with the ACK bit set already? Im kinda green on network security, and I have a very complex ACL on my network, and I would like to tighten it up to the point of what would be considered as industry standard security..
Thanks in advance for any replies from an ACL expert that has been in my shoes before.
Mike
08-06-2003 10:05 AM
Hi Mike,
If your talking router security then I'd recommend you read the following document from NSA:
http://www.nsa.gov/snac/index.html
and lookup cisco security.
Hope this helps --
08-07-2003 03:56 AM
Hi,
Using the established command can drill security holes in your PIX, so, it isn't recommended to do so.
In your case there is no need to configure established command for returning traffic, in fact ASA will let returning packets through based on the created connected state (statefull inspection).
Tricky thing is that often engineers try to test the connection using ICMP (ping command) and ICMP is not handled by ASA, and so many think that returning traffic is blocked. But again, this is not the case.
ASA handles returning traffic, and when ASA determines that it is an existing flow (in other words: established connection) it will not match the packet against the ACL bound to the interface, but let the packet through immediatly.
Hope this helps,
Kind Regards,
Leo
08-07-2003 05:53 AM
Thanks for the reply, but I should have been more specific. This is just a standard ACL for a 2621 router running the IOS firewall.
I decided to test the "established" command on the mail server and it seems to work fine. Also, I found that all I need to do is open port 80 on the web server, and it works fine. The problem is that a mail server must connect to other mail servers at port 25 for outgoing mail, but the return traffic from the remote mail servers will come back on anything above 1024. If I just open 25 and then deny any, it wont work.
So, with this in mind, is it more secure to use the "established" command or just plain open up everything above 1024?
For example:
access-list 101 permit tcp any host x.x.x.x eq 25
access-list 101 permit tcp any host x.x.x.x eq 110
access-list 101 permit tcp any host x.x.x.x established
access-list 101 deny ip any host x.x.x.x log
or:
access-list 101 permit tcp any host x.x.x.x eq 25
access-list 101 permit tcp any host x.x.x.x eq 110
access-list 101 permit tcp any host x.x.x.x gt 1024
access-list 101 deny ip any host x.x.x.x log
Or am I completely off base on how to secure a mail server using the ACL? I know the IOS Firewall has the capability of handling SMTP using CBAC, But my mail server is running ESMTP, which CBAC wont work with, according to the IOS Firewall manual.
Thanks again for any replies,
Mike
08-07-2003 06:53 AM
Hi - the following URL's will help you and the post from 'wolfrikk' who gives a good explanation -
http://www.cisco.com/warp/public/110/mailserver.html
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/msexchng.htm
http://www.brienposey.com/kb/connecting_to_Exchange_through_a_firewall.asp
http://support.microsoft.com/default.aspx?scid=kb;en;155831
First you need to create a static mapping to your Exchange Server.
static (inside,outside)
next you will need to create an access-list to allow SMTP traffic and possible POP3 traffic if you are using it.
access-list 100 permit tcp any
access-list 100 permit tcp any
If you run into problems with ESMTP (which the PIX does not support), you can disable it by using the following command
no fixup protocol smtp 25
I have not run into many problems where I had to disable the SMTP Fixup, but I know there are issues where that is the fix.
_____________________________________________________
Hope this helps --
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide