topic Re: deny all traffic to 53 from outside in Network Security

deny all traffic to 53 from outside

ilukeberry — Tue, 12 Mar 2019 00:05:00 GMT

I've setup Cisco router's DNS server... via "ip dns server" which in need for inside use.. however now if I do portscan from outside it shows port 53 opened. How do I block all traffic to that 53 port from outside since i need this DNS only inside my NAT/Overload network.

I'm using 1900 series.

deny all traffic to 53 from outside

Julio Carvajal — Fri, 05 Oct 2012 17:07:35 GMT

Hello Luka,

Do you have an ACL on the outside interface?

You could add one

ip access-list extended outside_in

deny udp any any eq 53

permit ip any any ( if this is what you have right now)

interface fast 0/0 ( interface connecting to internet)

ip access-group outside_in in

Regards,

Remember to rate all of our answers.

deny all traffic to 53 from outside

Karsten Iwen — Fri, 05 Oct 2012 17:46:23 GMT

If that system is connected to the internet, you should activate at least the IOS-Firewall (SEC-License needed) to control the traffic that flows to your network. With that by default all ports are closed and only return-traffic can enter your network.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

deny all traffic to 53 from outside

cadet alain — Fri, 05 Oct 2012 20:54:26 GMT

Hi,

by default with ZBF traffic destined to self-zone or coming from self-zone is permitted so he'll have to configure a policy for traffic coming to self-zone from outside zone.

Regards.

Alain

Don't forget to rate helpful posts.

deny all traffic to 53 from outside

Karsten Iwen — Fri, 05 Oct 2012 21:14:15 GMT

I wouldn't reccomend ZBF in that case because it's too complicated. CBAC would be more then enough.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: deny all traffic to 53 from outside

ilukeberry — Sat, 06 Oct 2012 12:37:31 GMT

Here is my current running config.

What do you suggest to do.. for now i've forwarded 53 port to dummy IP address.

I have SEC license.

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security securityk9 Permanent securityk9

data None None None

! Last configuration change at 23:47:03 CEST Fri Oct 5 2012 by admin

! NVRAM config last updated at 23:47:04 CEST Fri Oct 5 2012 by admin

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

hostname r0

boot-start-marker

boot system flash:c1900-universalk9-mz.spa.151-4.m5.bin

boot-end-marker

enable secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g

aaa new-model

aaa authentication login default local

aaa session-id common

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

no ipv6 cef

no ip source-route

no ip gratuitous-arps

ip cef

ip dhcp excluded-address 192.168.10.1 192.168.10.100

ip dhcp excluded-address 192.168.10.254

ip dhcp pool vlan10

network 192.168.10.0 255.255.255.0

dns-server 192.168.10.1

default-router 192.168.10.1

lease 3

no ip bootp server

ip host www.mydomain.net 192.168.20.2

ip name-server 84.255.209.79

ip name-server 84.255.210.79

multilink bundle-name authenticated

crypto pki token default removal timeout 0

license udi pid CISCO1921/K9 sn FCZ1606C28X

username admin secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g

redundancy

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

ip address 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

interface GigabitEthernet0/1.10

description HOME VLAN

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

interface GigabitEthernet0/1.20

description SERVERS VLAN

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

interface GigabitEthernet0/1.30

description VM VLAN

encapsulation dot1Q 30

ip address 192.168.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

interface GigabitEthernet0/1.40

description MANAGEMENT VLAN

encapsulation dot1Q 40

ip address 192.168.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip forward-protocol nd

no ip http server

no ip http secure-server

ip dns server

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.20.2 22 22 extendable

ip nat inside source static tcp 1.1.1.1 53 53 extendable

ip nat inside source static tcp 192.168.20.2 80 80 extendable

ip nat inside source static tcp 192.168.20.2 443 443 extendable

ip route 0.0.0.0 0.0.0.0

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

access-list 100 permit ip 192.168.30.0 0.0.0.255 any

access-list 100 permit ip 192.168.40.0 0.0.0.255 any

no cdp run

control-plane

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

exec-timeout 0 0

no exec

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

transport input ssh

scheduler allocate 20000 1000

ntp server 193.2.1.117

end

Re: deny all traffic to 53 from outside

Karsten Iwen — Sat, 06 Oct 2012 13:41:42 GMT

It all starts with the following config:

ip inspect name FW tcp router-traffic

ip inspect name FW udp router-trtaffic

ip inspect name FW icmp router-traffic

ip inspect name FW ftp

ip access-list extended INTERNET-IN

deny ip any any

int gig 0/0

descr Connection to internet

ip access-group INTERNET-IN in

ip inspect FW out

With that the typical internet-traffic will work; only answers to your own traffic will flow back to your router or your network.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: deny all traffic to 53 from outside

ilukeberry — Sat, 06 Oct 2012 15:12:34 GMT

How do i incorporate that into my config i need 22, 80 and 443 forwarded to 192.168.20.2 ? i mean opened.

If i do:

ip access-list extended INTERNET-IN

permit tcp any host 192.168.20.2 eq 22

permit tcp any host 192.168.20.2 eq 80

permit tcp any host 192.168.20.2 eq 443

deny ip any any

Would that make those ports open from outside to server on inside which has IP 192.168.20.2?

Re: deny all traffic to 53 from outside

ilukeberry — Sun, 07 Oct 2012 00:06:23 GMT

karsten, I've applied your settings.. it works like charm! 😆

anyway in ACL list i had to use my static outside IP.. and not the internal NAT one 😆

I've deleted nat forwarding of port 53 to dummy address... now when I do portscan from outside.. 53 seems closed.

Here is config:

ip access-list extended INTERNET-IN

permit tcp any host MY_STATIC_OUTSIDE_IP eq 22

permit tcp any host MY_STATIC_OUTSIDE_IP eq 80

permit tcp any host MY_STATIC_OUTSIDE_IP eq 443

deny ip any any

MY_STATIC_OUTSIDE_IP

Cheers!

Re: deny all traffic to 53 from outside

Karsten Iwen — Sun, 07 Oct 2012 07:26:07 GMT

anyway in ACL list i had to use my static outside IP.. and not the internal NAT one

yes, that's caused by the order of operation in IOS:

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

When the packet enters the router, then the ACL is inspected before the NAT is done on the packet.

Have fun with your new firewall ... 😉

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: deny all traffic to 53 from outside

ilukeberry — Fri, 12 Oct 2012 06:51:03 GMT

I have another question.. now i've added to inspect incoming http, https, ssh traffic... but i'm not really sure do i get any benefit of doing so? Is it worth it? 😆 Below is the current running config.

ip inspect name CBAC-OUT tcp router-traffic

ip inspect name CBAC-OUT udp router-traffic

ip inspect name CBAC-OUT icmp router-traffic

ip inspect name CBAC-OUT ftp

ip inspect name CBAC-IN http

ip inspect name CBAC-IN https

ip inspect name CBAC-IN ssh

interface GigabitEthernet0/0

ip address 255.255.0.0

ip access-group INBOUND in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect CBAC-IN in

ip inspect CBAC-OUT out

ip virtual-reassembly in

duplex auto

speed auto

ip access-list extended INBOUND

permit tcp any host eq 22

permit tcp any host eq www

permit tcp any host eq 443

Re: deny all traffic to 53 from outside

Karsten Iwen — Fri, 12 Oct 2012 10:37:14 GMT

There are two reasons for activating the inspections:

1) Make the traffic work. Thats the case for FTP or other multi-channel protocols. The router must look into the traffic to find the ports on which the data-channel will be established.

2) Apply an extra protection for the traffic. Thats the caes with http, pop3, imap, and so on. These are only needed if you want to filter your traffic based on upper-layer information.

So if your traffic works, you don't need any more inspections.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: deny all traffic to 53 from outside

ilukeberry — Fri, 12 Oct 2012 10:47:23 GMT

So basically I'm not gaining anything by inspecting incoming traffic to my HTTPS server?

Re: deny all traffic to 53 from outside

Karsten Iwen — Fri, 12 Oct 2012 11:24:02 GMT

not with https, but if you look at http, you could attach a L7-policy where you restrict your traffic based on HTTP-Headers. You could for example only allow specific methods, deny the sessions from IE6 or search for keywords in the HTTP-payload.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: deny all traffic to 53 from outside

ilukeberry — Fri, 12 Oct 2012 12:19:05 GMT

Thanks for clarifying things up.. i've removed that inbound inspection rules marked with red.

Re: deny all traffic to 53 from outside

Karsten Iwen — Fri, 12 Oct 2012 12:54:44 GMT

But if you plan to give internet-users access to an internal FTP-server in the future, then you also need the FTP-inspection in the inbound direction. But for that you could use the same rule as for your outbound traffic.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: deny all traffic to 53 from outside

ilukeberry — Fri, 12 Oct 2012 13:12:11 GMT

Adding port 21 to ACL INBOUND and nat forwarding wouldn't be enough?

ip nat inside source static tcp 192.168.20.2 21 21 extendable

permit tcp any host eq 21

Re: deny all traffic to 53 from outside

Karsten Iwen — Fri, 12 Oct 2012 19:42:43 GMT

No it would only be enough for the FTP-control-channel. But if the client wants to do passive FTP, the server tells the client on which dynamic port these data is available. And because this session is initiated from the outside to the inside, the FTP-inspection has to be also done in the same direction.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: deny all traffic to 53 from outside

ilukeberry — Sun, 14 Oct 2012 12:59:26 GMT

Okay i get it.. Thanks for helping out!