topic ACL help and understanding in Network Security

ACL help and understanding

miguel.desantiago — Tue, 12 Mar 2019 00:24:03 GMT

Below is output from a config running on my VPN router (ip removed for security purposes).

crypto map NMI-VPN isakmp-profile NMI-ISAKMP

crypto map NMI-VPN 10 ipsec-isakmp

set peer X.X.X.X

set transform-set AES-SHA

set isakmp-profile NMI-ISAKMP

match address NMI-ENCRYPT

I have two questions I want answered...

1. What is the match address command and what does it do?

2. My NMI-ENCRYPT extended access-list has the following output...

Extended IP access list NMI-ENCRYPT

30 permit ip host 10.63.127.120 10.46.0.0 0.0.255.255 (32788 matches)

60 permit ip host 10.63.127.120 10.0.4.0 0.0.0.255

70 permit ip host 10.63.67.8 10.46.0.0 0.0.255.255 (49459335 matches)

90 permit ip host 10.63.70.205 10.0.4.0 0.0.0.255 (175 matches)

100 permit ip host 10.63.70.205 10.46.0.0 0.0.255.255 (2798 matches)

110 permit ip host 10.63.13.6 10.46.0.0 0.0.255.255 (11048 matches)

120 permit ip host 10.63.127.150 10.46.0.0 0.0.255.255 (2208 matches)

140 permit ip host 10.63.127.180 10.46.0.0 0.0.255.255 (172179 matches)

150 permit ip host 10.63.127.180 10.0.4.0 0.0.0.255

160 deny ip any any log (53156 matches)

10.63.X.X is my internal network. 10.46.X.X and 10.0.4.X are external networks... If I'm not mistaken doesn't the following ACL only restrict specific internal users to specific external subnets? What I want to do is restrict the external subnets to specific internal hosts... does the following ACL do this already or would I have to reconfigure the ACL?

Re: ACL help and understanding

Karsten Iwen — Thu, 15 Nov 2012 17:51:36 GMT

The ACL that you reference with "match address" only controls the traffic that can be processed by the VPN-Tunnel. With a corresponding config on the other side, all the traffic in the permit-ACEs are allowed in both directions.

Normally these crypto-ACLs are configured quite broad like that:

ip access-list ext NMI-ENCRYPT

permit ip 10.63.0.0 0.0.255.255 10.0.4.0 0.0.0.255

permit ip 10.63.0.0 0.0.255.255 10.46.0.0 0.0.255.255

That saves some ressources as the router builds one set of SAs for each line in the crypto-ACL

For access-control you can apply an incoming- and an outgoing ACL directly in the tunnel:

crypto map NMI-VPN 10 ipsec-isakmp

set peer ...

set transform-set ...

match address ...

set ip access-group VPN-FILTER-SITE-X-IN in

set ip access-group VPN-FILTER-SITE-X-OUT out

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ACL help and understanding

miguel.desantiago — Thu, 15 Nov 2012 19:06:54 GMT

karsten.iwen wrote:

The ACL that you reference with "match address" only controls the traffic that can be processed by the VPN-Tunnel.

Karsten can you elaborate on this statement a little more please? Also I was able to sniff the traffic coming from the VPN tunnel that was unencrypted and found that only the internal hosts specified on the ACL are being contacted from the external subnet's. So in a way that I dont really understand, the NMI-ENCRYPT ACL is filtering external traffic as it should. Now to tighten things up... I want to remove the broad statements and replace them with the following...

10 permit tcp host 10.63.127.120 eq 80 10.46.101.101 0.0.0.3

20 permit tcp host 10.63.127.150 eq 80 10.46.101.101 0.0.0.3

30 permit tcp host 10.63.70.205 eq 80 10.46.101.101 0.0.0.3

40 permit tcp host 10.63.127.180 eq 80 10.46.102.101 0.0.0.3

50 permit tcp host 10.63.70.205 eq 80 10.46.102.101 0.0.0.3

60 permit tcp host 10.63.13.6 eq 22 host 10.46.102.103

70 permit tcp host 10.63.67.8 eq 4182 host 10.46.104.101

80 permit udp host 10.63.67.8 eq 137 host 10.46.104.101

90 permit ip host 10.63.127.120 10.0.4.0 0.0.0.255

100 permit ip host 10.63.70.205 10.0.4.0 0.0.0.255

110 permit ip host 10.63.127.180 10.0.4.0 0.0.0.255

120 deny ip any any log

ACL help and understanding

Karsten Iwen — Thu, 15 Nov 2012 20:05:47 GMT

You could include port-number in the crypto-acl, but keep in mind that in general the ACL on the other side should be mirrored to this ACL. This config makes all overcomplicated. You are using the wrong tool for the job here. The crypto-acl is for defining the encryption-domains, and the tunnel-ACLs ("set ip access-group ...") is for access-control.

And of course you have to make sure that your subnets are alligned on subnet-borders. Your first five destinations are not.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ACL help and understanding

miguel.desantiago — Mon, 19 Nov 2012 17:11:18 GMT

Karsten

After searching and reading I finally decrypted what your were saying. I found that the match address command specifies what traffic will be encrypted by the crypto map. So permit means encrypt and deny means do not encrypt. I'm sure this is exactly what you said but I really couldn't understand your terminology... however, thanks for all your help!

Miguel

Re: ACL help and understanding

Karsten Iwen — Mon, 19 Nov 2012 17:30:25 GMT

Yes, that's exactly what the crypto-ACL does. Sorry that I implied that without explaining the way the ACL does in that case.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ACL help and understanding

miguel.desantiago — Mon, 19 Nov 2012 18:47:39 GMT

Karsten,

If I apply this to the outside crypto map NMI-VPN will it work? I only want to restrict access into our network and I'm not concerned if my internal network of 10.63.X.X talks to anyone in 10.46.X.X/16 or 10.0.4.X/24.

set ip access-group NMI-VPN-FILTER-OUT out

ip access-list extended NMI-VPN-FILTER-OUT

10 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.120 eq 80

20 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.150 eq 80

30 permit tcp 10.46.101.100 0.0.0.3 host 10.63.70.205 eq 80

40 permit tcp 10.46.102.100 0.0.0.3 host 10.63.127.180 eq 80

50 permit tcp 10.46.102.100 0.0.0.3 host 10.63.70.205 eq 80

60 permit tcp host 10.46.102.103 host 10.63.13.6 eq 22

70 permit tcp host 10.46.104.101 host 10.63.67.8 eq 4182

80 permit udp host 10.46.104.101 host 10.63.67.8 eq 137

90 permit ip 10.0.4.0 0.0.0.255 host 10.63.127.120

100 permit ip 10.0.4.0 0.0.0.255 host 10.63.127.180

110 permit ip 10.0.4.0 0.0.0.255 host 10.63.70.205

120 deny ip any any log

Re: ACL help and understanding

Karsten Iwen — Mon, 19 Nov 2012 19:41:11 GMT

If you want to control the traffic flowing into your network you have to use the "in" parameter in the "set ip access-group" command. And for the Traffic flowing from your network to the remote-network you have to include the return-traffic into the ACL or activate the IOS-firewall on the router.

Sent from Cisco Technical Support iPad App

Re: ACL help and understanding

miguel.desantiago — Mon, 26 Nov 2012 15:25:00 GMT

Karsten,

Thanks for all your help. I usually get mixed up over the "in" and "out" parameter. So the "out" on applies to anything coming from my internal network and the "in" applies to anything coming from the external network?

Also will this work?

ip access-list extended NMI-VPN-FILTER-IN

10 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.120 eq 80

20 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.150 eq 80

30 permit tcp 10.46.101.100 0.0.0.3 host 10.63.70.205 eq 80

40 permit tcp 10.46.102.100 0.0.0.3 host 10.63.127.180 eq 80

50 permit tcp 10.46.102.100 0.0.0.3 host 10.63.70.205 eq 80

60 permit tcp host 10.46.102.103 host 10.63.13.6 eq 22

70 permit tcp host 10.46.104.101 host 10.63.67.8 eq 4182

80 permit udp host 10.46.104.101 host 10.63.67.8 eq 137

90 permit tcp host 10.0.4.205 host 10.63.70.205 eq 80

110 deny ip any any log

ip access-list extended NMI-VPN-FILTER-OUT

10 permit ip any 10.46.0.0 0.0.255.255

20 permit ip any 10.0.4.0 0.0.0.255

50 deny any any

Re: ACL help and understanding

Karsten Iwen — Mon, 26 Nov 2012 16:10:24 GMT

yes, coming from your VPN-peer, only the defined communication is allowed which is controlled with your ACL NMI-VPN-FILTER-IN. For your OUT-Filter, you have to decide of that is really needed. If your crypto-ACL doesn't include anything else then 10.46/16 and 10.0.4.0/24, then you don't need that filter. It would only be needed if you want to restrict certein systems to communicate to the other side. If you don't specify your "out"-filter, then everything that is specified in your crypto-ACL will be allowed.

But be aware that these ACLs are not stefull. If you telnet from your inside host (e.g. 10.63.127.120) to a remote host (e.g. 10.0.4.100) then the return-packet would be matched at seq. 110 of the ACL NMI-VPN-FILTER-IN.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni