topic Re: ACL on ROUTER for Active Directory in Network Security

ACL on ROUTER for Active Directory

avilt — Fri, 21 Feb 2020 15:38:51 GMT

I have a router with two segments. Outside segment is the client and inside is the domain controller.

I need to define ACL on Outside interface to allow communication for active directory.

Router will use packet filter ACL (no state full inspection).

Asuming the firewall port requirements listed in the below URL what should be my ACL for Outside interface for both Ingress and Egress?

https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

RPC endpoint mapper: port 135 TCP, UDP
NetBIOS name service: port 137 TCP, UDP
NetBIOS datagram service: port 138 UDP
NetBIOS session service: port 139 TCP
SMB over IP (Microsoft-DS): port 445 TCP, UDP
LDAP: port 389 TCP, UDP
Global catalog LDAP: port 3268 TCP
Kerberos: port 88 TCP, UDP
DNS: port 53 TCP, UDP
RPC: Dynamically-assigned ports TCP, Random port number between 49152 and 65535

Re: ACL on ROUTER for Active Directory

Rob Ingram — Wed, 18 Apr 2018 13:47:03 GMT

Hi,

Can you clarify something please. Is the outside the internet? In which case opening these ports is a really bad idea, not secure. Or is this a private LAN/WAN?

What other traffic is likely to ingress/egress this router? If an ACL is applied for just this DC traffic, it's likely to break something else.

Do you require NAT? If you do that, DNS won't work, it would return the private IP address of the DC and not the NATTED address.

The list you've provided looks pretty accurate, do you use LDAPS in your environment?

Re: ACL on ROUTER for Active Directory

avilt — Wed, 18 Apr 2018 18:24:58 GMT

Hello

It's in a private network without any internet connectivity and NAT, LDAP/SSL, GC/SSL are not applicable.

Re: ACL on ROUTER for Active Directory

Rob Ingram — Wed, 18 Apr 2018 19:11:08 GMT

Assuming there is no other traffic coming over the outside interface, try this:

ip access-list extended DC
permit udp host CLIENT-IP host DC-IP eq 135
permit tcp host CLIENT-IP host DC-IP eq 135
permit udp host CLIENT-IP host DC-IP eq 137
permit tcp host CLIENT-IP host DC-IP eq 137
permit udp host CLIENT-IP host DC-IP eq 138
permit tcp host CLIENT-IP host DC-IP eq 139
permit udp host CLIENT-IP host DC-IP eq 445
permit tcp host CLIENT-IP host DC-IP eq 445
permit udp host CLIENT-IP host DC-IP eq 389
permit tcp host CLIENT-IP host DC-IP eq 389
permit tcp host CLIENT-IP host DC-IP eq 3268
permit udp host CLIENT-IP host DC-IP eq 88
permit tcp host CLIENT-IP host DC-IP eq 88
permit udp host CLIENT-IP host DC-IP eq 53
permit tcp host CLIENT-IP host DC-IP eq 53
permit tcp host CLIENT-IP host DC-IP range 49152 65535
\\ Optional - apply log command to identify any drops. Use for testing initially to confirm everything it working, then remove.
deny ip any any log

interface GigabitEthernet X

description OUTSIDE interface
ip access-group DC in

You would obviously need to replace the CLIENT-IP and DC-IP value with the ip address for your network.

Re: ACL on ROUTER for Active Directory

avilt — Thu, 19 Apr 2018 08:31:33 GMT

This ACL will allow communication from client to DC.

But how about return connections that were initiated from the DC to client?

Re: ACL on ROUTER for Active Directory

Rob Ingram — Thu, 19 Apr 2018 09:42:35 GMT

Try:
ip access-list extended DC1
permit udp host CLIENT-IP eq 135 host DC-IP
permit tcp host CLIENT-IP eq 135 host DC-IP
permit udp host CLIENT-IP eq 137 host DC-IP
permit tcp host CLIENT-IP eq 137 host DC-IP
permit udp host CLIENT-IP eq 138 host DC-IP
permit tcp host CLIENT-IP eq 139 host DC-IP
permit udp host CLIENT-IP eq 445 host DC-IP
permit tcp host CLIENT-IP eq 445 host DC-IP
permit udp host CLIENT-IP eq 389 host DC-IP
permit tcp host CLIENT-IP eq 389 host DC-IP
permit tcp host CLIENT-IP eq 3268 host DC-IP
permit udp host CLIENT-IP eq 88 host DC-IP
permit tcp host CLIENT-IP eq 88 host DC-IP
permit udp host CLIENT-IP eq 53 host DC-IP
permit tcp host CLIENT-IP eq 53 host DC-IP
permit tcp host CLIENT-IP range 49152 65535 host DC-IP

Re: ACL on ROUTER for Active Directory

kvnkoeppen — Wed, 09 Oct 2019 13:30:52 GMT

Outbound initiated connections are allowed back in because that port is listening for the return of the request. The router identifies that as a valid communication as it is started from within the firewall. It is just like the default router you have for you home internet. Do you have to go into the router and tell it to allow a website i.e. port 443, to reply to your request? The return of information to a request is allowed through.