topic Re: Perimeter interface ACL in Network Security

Perimeter interface ACL

Robert Craig — Mon, 11 Mar 2019 22:01:42 GMT

I want to lock down my router that connects to the cable modem. Now, I thought it would be simple to just block everything incoming via an ACL, but as soon as I applied the below ACL, even the clients that are being NAT'd couldn't get to the internet. This router is performing NAT for the internal network, as well as terminating client/network IPSEC tunnels. Any ideas on how to approach this?

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

! Prevent LAND Attack

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

Re: Perimeter interface ACL

Julio Carvajal — Wed, 14 Dec 2011 04:00:20 GMT

Hello Robert,

The situation with the routers is that they cannot perform stateful inspection by default ( like an ASA firewall) so you need to create an access-control entry for all the connections you want to allow from the outside to the inside, even if they are a reply from a connection initiated on the inside of your network.

Do you see my point here?

So for example there is one workaround on this, you can create a reflexive access-list on the inside interface of your router so the replies for request or packets being sent from the inside to the outside are allowed by default no matter what access-list is applied on the oustide interface.

The reflexives access-list work with the tcp protocol, so for example if you want to allow internet access and you are using a public dns ( UDP/53) the reflexive access-list will not work for that protocol (UDP) so you will need to permit that traffic on the outside interface.

Here is a link if you want to go deeper with this particular feature

http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/screflex.html#wp3627

Please rate helpful posts.

Julio

Perimeter interface ACL

Maykol Rojas — Wed, 14 Dec 2011 04:01:17 GMT

Hi Robert,

Rememeber that this is not stateful firewall. Hence, you will need to permit the return traffic from the internet on port 80 to your clients.

Something to continue using this ACL but still permit anything from inside network to outside, you can apply CBAC (some sort of reflective acl) which will allow packets to return if the sessions were created on a trusted interface.

You can do the following (assuming the acl is applied on the interface that connects to the internet)

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

Get into the interface and put the following command:

ip inspect FW out

Then apply the ACL and let me know how it goes.

Mike

Re: Perimeter interface ACL

Robert Craig — Wed, 14 Dec 2011 04:06:28 GMT

OK, I think I'm following you. Apply the ACL on the exterior int.

int f0/0 <<<----one going to cable modem

ip access-group 151 in

Then create the inspect rules (this is how I came across the ACL in the first place is trying to implement the inspect rules)

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

Then go back to int f0/0

ip inspect FW out

About right? This would allow any traffic sourcing from inside the network (either from the routers crypto map sessions or a client on the LAN) to go out and come back in because it came from inside first.

Perimeter interface ACL

Maykol Rojas — Wed, 14 Dec 2011 04:19:25 GMT

Not quite right for router traffic.

Traffic initiating from the inside subnet, the return traffic would be allowed without the need to explicitly permit it on the ACL.

You may need to allow IPsec and tunnel protocols on the ACL itself for the router to build the tunnels correctly (I dont think it much as a security problem since Phase 1 and two needs to be completed for the VPN to work)

The rest is fine.

Let me know if you have doubts.

Mike

Re: Perimeter interface ACL

Robert Craig — Wed, 14 Dec 2011 04:20:23 GMT

OK, it worked. Nothing internally died (knock on wood). Now, I can't test it right now, but I am assuming remote VPN clients will not be able to connect now. This router serves them as well. How do I allow them in? Would it be something like the below at the top of the ACL?

access-list 151 permit udp any eq 500 any

Perimeter interface ACL

Maykol Rojas — Wed, 14 Dec 2011 04:24:57 GMT

Hey,

Not quite, it would be more like allowing them to connect to the router, so it would be like this:

Access-list 151 permit udp any eq 500.

access-list 151 permit udp any eq 4500 (in case the devices are behind nat)

access-list 151 permit esp any (for encrypted traffic)

The access list you are applying is inbound, nothing outbound, so the reply of the from the router wont be dropped by this ACL.

Let me know your inputs.

Mike

Perimeter interface ACL

Robert Craig — Wed, 14 Dec 2011 04:31:51 GMT

Problem is, my ip is dynamic.

Perimeter interface ACL

Maykol Rojas — Wed, 14 Dec 2011 04:33:39 GMT

Thats an issue, do you have DDNS configured?

Mike

Re: Perimeter interface ACL

Robert Craig — Wed, 14 Dec 2011 04:35:42 GMT

Ironically, I do. I'm running the windows client on a junk desktop on the LAN.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Perimeter interface ACL

Maykol Rojas — Wed, 14 Dec 2011 04:48:07 GMT

Mmmm

From the top of my head, you can put the fqdn thereon the acl and configure a dns server on the router so it can query the dns server everytime the name changes...

That can work.

Mike

Perimeter interface ACL

Robert Craig — Wed, 14 Dec 2011 04:50:53 GMT

Ok, that might just work. I will give it a shot tomorrow and see what happens. I'll let you know. Thanks Mike!

Perimeter interface ACL

Maykol Rojas — Wed, 14 Dec 2011 04:53:35 GMT

Sure... let me know if you need any help tomorrow.

Mike

Re: Perimeter interface ACL

Robert Craig — Thu, 15 Dec 2011 04:35:10 GMT

Mike,

I added the modified ACL and it killed my IPSEC tunnels. I didn't try the client tunnels, but the network ones died and didn't come back up. Below is what I used. Don't really see why it didn't work.

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

access-list 150 permit udp any host 10.dyndns-at-home.com eq 500

access-list 150 permit udp any host 10.dyndns-at-home.com eq 4500

access-list 150 permit esp any host 10.dyndns-at-home.com

! Prevent LAND Attach

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

Re: Perimeter interface ACL

Robert Craig — Thu, 15 Dec 2011 05:11:13 GMT

OK, caviot to the previous message. I added the below to the list and the tunnels (for the most part came back up).

access-list 150 permit udp any host 10.dyndns-at-home.com eq isakmp

However, I lost the ability to ping the other sides router, even though I can browse to it's web gui and anything on that network (weird?). Also, the below command shows me nothing so I have no way of monitoring the tunnels.

show crypto isakmp sa

I don't understand why I lost ping to one interface on the other side (Its an RVS4000 so the VLAN 1 interface) and my crypto status is blank. All because of an ACL? For giggles, I rebooted the router. To make things even more complicated, the interface wouldn't pull an IP from the modem until I removed the ACL.

Re: Perimeter interface ACL

Maykol Rojas — Thu, 15 Dec 2011 16:41:29 GMT

Well,

ICMP is not permitted to come back. Remember that traffic generated from the router is not subject to inspection (unless the keyword router-traffic is included). For that you will need to add one more acl that allow icmp to that specific domain.

Permit icmp any host 10.dyndns-at-home.com echo-reply

That way it will be permitted. Remember to put it on the first lines to avoid the final deny ip any any.

Let me know.

Mike

Re: Perimeter interface ACL

Robert Craig — Thu, 15 Dec 2011 16:52:12 GMT

Yeah, I ended up editing it more than that. Below is what I have so far. It seemed that it was just too locked down for anything to get through. Do you recommend adding or changing anything? Everything works right now, knock on wood.

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

access-list 150 permit udp any any eq bootpc

access-list 150 permit udp any any eq bootps

access-list 150 permit udp any eq bootps any eq bootpc

access-list 150 permit udp any host 10.dyndns-at-home.com eq 500

access-list 150 permit udp any host 10.dyndns-at-home.com eq 4500

access-list 150 permit udp any host 10.dyndns-at-home.com eq isakmp

access-list 150 permit esp any host 10.dyndns-at-home.com

access-list 150 permit icmp any any echo-reply

access-list 150 permit icmp any any time-exceeded

access-list 150 permit icmp any any unreachable

access-list 150 permit icmp any any packet-too-big

access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit udp host proxy.sip-ua.com host 10.dyndns-at-home.com

! Prevent LAND Attach

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny ip any any log

Robert

Re: Perimeter interface ACL

Maykol Rojas — Thu, 15 Dec 2011 17:38:39 GMT

I like it, however, I dont know what is the reason for this:

access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255

Nothing on the internet should come with those private IP addresses.

Mike

Re: Perimeter interface ACL

Robert Craig — Thu, 15 Dec 2011 17:47:12 GMT

You are right. Here is the weird part. Those two LANs reside on a distant site that come across an IPSEC Tunnels (two tunnels). When I blocked those private addresses, I started noticing traffic from those IP’s were being blocked via the ACL. I just did a terminal monitor in a SSH at the router and the page was going nuts with blocks. The IP’s were legit and were trying to get to resources on my LAN. What is confusing is how would the interface even sees those ips if they are inside an encrypted tunnel.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Re: Perimeter interface ACL

Maykol Rojas — Thu, 15 Dec 2011 17:51:26 GMT

Agree.

You were seeing drops for all that subnet or for certain hosts?

Mike