Solved: Access control List

osamafaheem1974 · ‎05-05-2018

Hello

I want to create an access control list on a router that does the following:

1) access control list to deny all inbound traffic with network addresses matching internal-registered IP address

2) Deny all ICMP echo request traffic

3) Deny all inbound Microsoft Active Directory

4) Deny all inbound Microsoft SQL Server Ports

5) Deny all Microsoft Domain Local Broadcast

6) Allow traffic to SMTP server

7) Allow traffic to internal IMAP Server

I have to also remove this

ip nat inside source list 100 interface Serial1/0 overload from my start-up configuration

My Router0 configuration is as under:

Router#show run
Router#show running-config
Building configuration...

Current configuration : 1344 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 10.1.11.10 255.255.255.0
ip nat inside
duplex auto
speed auto
standby 1 ip 10.1.11.12
standby 1 priority 110
standby 1 preempt
!
interface Serial1/0
ip address 203.1.1.2 255.255.255.0
ip nat outside
!
interface Serial1/1
no ip address
clock rate 2000000
shutdown
!
interface Serial1/2
no ip address
clock rate 2000000
shutdown
!
interface Serial1/3
no ip address
clock rate 2000000
shutdown
!
interface Serial1/4
no ip address
clock rate 2000000
shutdown
!
interface Serial1/5
no ip address
clock rate 2000000
shutdown
!
interface Serial1/6
no ip address
clock rate 2000000
shutdown
!
interface Serial1/7
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.1.1.1
ip route 10.1.20.0 255.255.255.0 10.1.11.1
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Rob Ingram · ‎05-05-2018

Then all you can do is remove the ACL and re-enter the ACL, with the modification before the deny rule.

View solution in original post

Rob Ingram · ‎05-05-2018

Hi,

Example ACL below. Please note all traffic that isn't explicitly permitted (such as smtp/imap) would match the last rule deny any - which is your requirements 2,3,4 and 5. The last rule deny any is actually required, as there is a default implied deny, it's here for your reference.

ip access-list extended WAN_ACL
description DENY RFC 1918
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
description PERMIT SMTP
permit tcp any host 203.x.x.x eq 25
description PERMIT IMAP and IMAPS
permit tcp any host 203.x.x.x eq 143
permit tcp any host 203.x.x.x eq 993
description DENY ALL REMAINING TRAFFIC
deny ip any any

interface serial 1/0
ip access-group WAN_ACL in

You would need static NAT entries for the SMTP/IMAP server, modify the ACL above with the correct IP address.

To disable the NAT override rule, do this:

no ip nat inside source list 100 interface Serial1/0 overload

HTH

osamafaheem1974 · ‎05-05-2018

Thanks RJI.

osamafaheem1974 · ‎05-05-2018

Hello RJI,

Why in the end you have kept deny ip any any, why not permit ip any any

Rob Ingram · ‎05-05-2018

Hi, because you asked only to permit smtp and imap, anything else you've not specifically permitted will therefore be denied. That's generally what you do in an ACL.

If you want to permit the remaining traffic the ACL would need changing, to deny on your requirements 2,3,4 and 5 and then the last rule could be permit...but that isn't as secure as having the "deny ip any any" rule that has been defined currently.

HTH

osamafaheem1974 · ‎05-05-2018

Hello RJI,
Once again thanks for your reply should I exactly use this ACL configuration in my router as my Router0 external interface Se1/0 has IP address 203.1.1.2 which is connected to ISP router. Please advice

Rob Ingram · ‎05-05-2018

Hi,

Do you have any static NAT entries for the SMTP/IMAP server(s)? If not what is the private IP address of these server(s)? Are you planning on using 203.1.1.2 as the public ip address for this servers or do you have another IP address to dedicate for this use?

Which ACL do you want to use? The original with the deny ip any any at the end or ?

osamafaheem1974 · ‎05-05-2018

Hello RJI,
Thanks for your reply
No I do not have any static entries for SMTP/IMAP server. There are four servers having IP address:

Email server : 10.1.11.20/24
Webserver: 10.1.11.21/24
Fileserver for HR: 10.1.11.23/24
Domain controller of Windows 2016: 10.1.11.24/24
My other IP addresses are 10.1.20.0/24, 10.1.10.0/24

See what I want to acheive technically this:
Deny all IP packets containing the following IP addresses in their source field:
Any local host addresses (127.0.0.0/8)
Any reserved private addresses (RFC 1918)
Any addresses in the IP multicast address range (224.0.0.0/4)

Allow, DNS, SMTP, and FTP must be allowed through a firewall.
and id there is any way to mitigate ICMP Abuse that for example hackers from external source ICMP packets for pings sweeps and DoS flood attacks, and use ICMP redirect messages to alter host routing tables

So please help

Rob Ingram · ‎05-05-2018

Hi,

This ACL below should meet your requirements. Traffic from source of Loopback, mutlicast and private addresses are explicitly denied. Inbound SMTP and IMAP is permitted, any other traffic (which includes ICMP as per your requirement) is blocked.

You mention allowing DNS, SMTP and FTP should be allowed through the firewall, I assume you mean OUTBOUND? This ACL below is applied on the Serial interface INBOUND, so no OUTBOUND traffic will be denied, in fact all OUTBOUND traffic will be allowed.

ip access-list extended WAN_ACL
description DENY SPECIAL USE ADDRESSES
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
description DENY RFC 1918
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
description PERMIT SMTP
permit tcp any host 203.1.1.2 eq 25
description PERMIT IMAP and IMAPS
permit tcp any host 203.1.1.2 eq 143
permit tcp any host 203.1.1.2 eq 993
description DENY ALL REMAINING TRAFFIC
deny ip any any

interface serial 1/0
ip access-group WAN_ACL in

Define static NAT entries for the Mail Server on the SMTP and IMAP ports. No other static NAT mappings need to be applied as you are only allowing inbound SMTP/IMAP.

ip nat inside source static tcp 10.1.11.20 25 interface Serial 1/0 25
ip nat inside source static tcp 10.1.11.20 143 interface Serial 1/0 143
ip nat inside source static tcp 10.1.11.20 993 interface Serial 1/0 993

You probably want to leave the original NAT overload command in place, that is the NAT for all servers/pcs on the network, allowing them internet access.

HTH

osamafaheem1974 · ‎05-05-2018

Hello RJI

Thanks for your help once again
I tried to run the following command in global configuration mode but it gave me error

ip nat inside source static tcp 10.1.11.20 25 interface Serial 1/0 25
ip nat inside source static tcp 10.1.11.20 143 interface Serial 1/0 143
ip nat inside source static tcp 10.1.11.20 993 interface Serial 1/0 993

Rob Ingram · ‎05-05-2018

Can you post the error message here please?

osamafaheem1974 · ‎05-05-2018

Rob Ingram · ‎05-05-2018

I don't have packet tracer, I assume the command (possible the serial interface) is not accepted.

Try this:

ip nat inside source static tcp 10.1.11.20 25 203.1.1.2 25
ip nat inside source static tcp 10.1.11.20 143 203.1.1.2 143
ip nat inside source static tcp 10.1.11.20 993 203.1.1.2 993

osamafaheem1974 · ‎05-05-2018

Thanks RJI for your help onething when I open any PC in packet tracer and in webbrowser enter external webserver IP address 8.8.8.8 it says Request time out

Rob Ingram · ‎05-05-2018

If you are running this in packet tracer then is there any device with an IP address of 8.8.8.8?