cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5943
Views
20
Helpful
29
Replies

Access control List

osamafaheem1974
Level 1
Level 1

Hello 

 

I want to create an access control list on a router that does the following:

 

1) access control list to deny all inbound traffic with network addresses matching internal-registered IP address

2) Deny all ICMP echo request traffic 

3) Deny all inbound Microsoft Active Directory 

4) Deny all inbound  Microsoft SQL Server Ports

5) Deny all Microsoft Domain Local Broadcast

6) Allow traffic to SMTP server

7) Allow traffic to internal IMAP Server

 

I have to also remove this 

ip nat inside source list 100 interface Serial1/0 overload from my start-up configuration

 

My Router0 configuration is as under:

Router#show run
Router#show running-config
Building configuration...

Current configuration : 1344 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 ip address 10.1.11.10 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 standby 1 ip 10.1.11.12
 standby 1 priority 110
 standby 1 preempt
!
interface Serial1/0
 ip address 203.1.1.2 255.255.255.0
 ip nat outside
!
interface Serial1/1
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/2
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/3
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/4
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/5
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/6
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/7
 no ip address
 clock rate 2000000
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.1.1.1
ip route 10.1.20.0 255.255.255.0 10.1.11.1
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

1 Accepted Solution

Accepted Solutions

Then all you can do is remove the ACL and re-enter the ACL, with the modification before the deny rule.

View solution in original post

29 Replies 29

Hi,

 

Example ACL below. Please note all traffic that isn't explicitly permitted (such as smtp/imap) would match the last rule deny any - which is your requirements 2,3,4 and 5. The last rule deny any is actually required, as there is a default implied deny, it's here for your reference.

 

ip access-list extended WAN_ACL
 description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any
 description PERMIT SMTP
 permit tcp any host 203.x.x.x eq 25
 description PERMIT IMAP and IMAPS
 permit tcp any host 203.x.x.x eq 143
 permit tcp any host 203.x.x.x eq 993
 description DENY ALL REMAINING TRAFFIC
 deny ip any any
 
interface serial 1/0
 ip access-group WAN_ACL in
 

You would need static NAT entries for the SMTP/IMAP server, modify the ACL above with the correct IP address.

 

To disable the NAT override rule, do this:

 

no ip nat inside source list 100 interface Serial1/0 overload

 

HTH

Thanks RJI.

Hello RJI,

Why in the end you have kept deny ip any any, why not permit ip any any

Hi, because you asked only to permit smtp and imap, anything else you've not specifically permitted will therefore be denied. That's generally what you do in an ACL.

If you want to permit the remaining traffic the ACL would need changing, to deny on your requirements 2,3,4 and 5 and then the last rule could be permit...but that isn't as secure as having the "deny ip any any" rule that has been defined currently.

HTH

Hello RJI,
Once again thanks for your reply should I exactly use this ACL configuration in my router as my Router0 external interface Se1/0 has IP address 203.1.1.2 which is connected to ISP router. Please advice

Hi,

Do you have any static NAT entries for the SMTP/IMAP server(s)? If not what is the private IP address of these server(s)? Are you planning on using 203.1.1.2 as the public ip address for this servers or do you have another IP address to dedicate for this use?

 

Which ACL do you want to use? The original with the deny ip any any at the end or ?

Hello RJI,
Thanks for your reply
No I do not have any static entries for SMTP/IMAP server. There are four servers having IP address:

Email server : 10.1.11.20/24
Webserver: 10.1.11.21/24
Fileserver for HR: 10.1.11.23/24
Domain controller of Windows 2016: 10.1.11.24/24
My other IP addresses are 10.1.20.0/24, 10.1.10.0/24

See what I want to acheive technically this:
Deny all IP packets containing the following IP addresses in their source field:
Any local host addresses (127.0.0.0/8)
Any reserved private addresses (RFC 1918)
Any addresses in the IP multicast address range (224.0.0.0/4)

Allow, DNS, SMTP, and FTP must be allowed through a firewall.
and id there is any way to mitigate ICMP Abuse that for example hackers from external source ICMP packets for pings sweeps and DoS flood attacks, and use ICMP redirect messages to alter host routing tables

So please help


Hi,

This ACL below should meet your requirements. Traffic from source of Loopback, mutlicast and private addresses are explicitly denied. Inbound SMTP and IMAP is permitted, any other traffic (which includes ICMP as per your requirement) is blocked.

 

You mention allowing DNS, SMTP and FTP should be allowed through the firewall, I assume you mean OUTBOUND? This ACL below is applied on the Serial interface INBOUND, so no OUTBOUND traffic will be denied, in fact all OUTBOUND traffic will be allowed.

 

ip access-list extended WAN_ACL
 description DENY SPECIAL USE ADDRESSES
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip 192.0.2.0 0.0.0.255 any
 deny ip 224.0.0.0 31.255.255.255 any
 description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any
 description PERMIT SMTP
 permit tcp any host 203.1.1.2 eq 25
 description PERMIT IMAP and IMAPS
 permit tcp any host 203.1.1.2 eq 143
 permit tcp any host 203.1.1.2 eq 993
 description DENY ALL REMAINING TRAFFIC
 deny ip any any
 
interface serial 1/0
 ip access-group WAN_ACL in

Define static NAT entries for the Mail Server on the SMTP and IMAP ports. No other static NAT mappings need to be applied as you are only allowing inbound SMTP/IMAP.
 
ip nat inside source static tcp 10.1.11.20 25 interface Serial 1/0 25
ip nat inside source static tcp 10.1.11.20 143 interface Serial 1/0 143
ip nat inside source static tcp 10.1.11.20 993 interface Serial 1/0 993

 

You probably want to leave the original NAT overload command in place, that is the NAT for all servers/pcs on the network, allowing them internet access.

 

HTH

Hello RJI

Thanks for your help once again
I tried to run the following command in global configuration mode but it gave me error

ip nat inside source static tcp 10.1.11.20 25 interface Serial 1/0 25
ip nat inside source static tcp 10.1.11.20 143 interface Serial 1/0 143
ip nat inside source static tcp 10.1.11.20 993 interface Serial 1/0 993

Can you post the error message here please?

I don't have packet tracer, I assume the command (possible the serial interface) is not accepted.

 

Try this:

 

ip nat inside source static tcp 10.1.11.20 25 203.1.1.2 25
ip nat inside source static tcp 10.1.11.20 143 203.1.1.2 143
ip nat inside source static tcp 10.1.11.20 993 203.1.1.2 993

Thanks RJI for your help onething when I open any PC in packet tracer and in webbrowser enter external webserver IP address 8.8.8.8 it says Request time out

If you are running this in packet tracer then is there any device with an IP address of 8.8.8.8?
Review Cisco Networking for a $25 gift card