Re: Blocking outside access to router - Page 2

jeremy0463 · ‎12-30-2023

I have setup NAT and firewall on my C1111-8w8p router and I believe it is correct. Let me know if you see any other problems here. I am still learning. But now I need to block access to the router. Port scan of public ip shows 22, 80, 443, and 1720 open. Not sure how to do that the best way. Please help. Here is my configuration:

Sat Dec 30 2023 20:20:06 GMT-0600 (Central Standard Time)

===================================================================================

#sh run

Building configuration...

Current configuration : 9958 bytes

!

! Last configuration change at 02:18:43 UTC Sun Dec 31 2023 by admin

! NVRAM config last updated at 00:16:50 UTC Sun Dec 31 2023 by admin

!

version 17.9

service timestamps debug datetime msec

service timestamps log datetime msec

service call-home

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

platform hardware throughput crypto 50000

!

hostname Edge_Router

!

boot-start-marker

boot system bootflash:c1100-universalk9.17.09.04a.SPA.bin

boot system bootflash:c1100-universalk9_ias.16.10.01b.SPA.bin

boot-end-marker

!

aaa new-model

!

aaa session-id common

!

ip name-server 8.8.8.8 1.1.1.1

ip domain name lewishome.local

ip dhcp excluded-address 192.168.1.0

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.200 192.168.1.255

!

ip dhcp pool default

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 8.8.8.8 1.1.1.1

lease infinite

!

login on-success log

!

subscriber templating

!

vtp version 1

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-2829415558

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2829415558

revocation-check none

rsakeypair TP-self-signed-2829415558

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

crypto pki certificate chain TP-self-signed-2829415558

certificate self-signed 01

30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383239 34313535 3538301E 170D3233 31303331 30333530

31365A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38323934

31353535 38308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201

0A028201 0100D4C8 D205F41D 87D75235 3BF6112F A419AA75 DD5BEBA3 F65A51E0

F9D66305 D7D3EFEA AFE0CE68 B51807E7 ABAD93C8 7D2CB2F0 127DDD3A 81D0A65C

28D4AAED 6C723B45 BD33EC5E 4CA33DC0 013E4C52 1912A7B0 3D7DB305 1C3B0C6B

C1CBBC69 D36E5C8F 561A2334 57BC4BA4 F96E74C9 26C1DF87 8A72BB74 E41675D0

1BC7179F 4E1AC770 9C168634 BBA41693 4197748B 17348D43 E56D3E5F A92BCC94

449D42D1 C8CA05FE DBD014C2 F5E87F73 8FFD1F87 16A46317 1AB5A4F6 BDEF2A13

9091FDAC 4674D656 D0011D59 01D72939 FF7BE161 AE4861DA 27288373 3ECDBB9A

D3224C19 F57D213F 1E66E96A 134CC8C3 459566A9 1603B84A 475A4242 B2B4CC78

DAE84745 0F670203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF

301F0603 551D2304 18301680 148196B9 201E83D1 82D6F51B C348A36B FC92075D

AC301D06 03551D0E 04160414 8196B920 1E83D182 D6F51BC3 48A36BFC 92075DAC

300D0609 2A864886 F70D0101 05050003 82010100 53BA30C3 805BB3D6 30F9E106

38A164A3 9B6B48D0 5DFD2DA9 940A9F79 945B4E20 A878F406 CCE22730 63C7F7ED

3657AADE 2AB34739 1EA13AF6 49E40C27 C3E8BC1B 50B5F0F0 CEB49998 CA0ECE1E

AFE2B08A 6B011A4C B4579FCF 7CE42025 AE227792 08141E61 99C90838 AA135E4C

D2D29867 7CDA5B54 7E66A31A AA6BDC3D 027327F9 CAF90986 3ED52D07 69A86D69

B48E3F2A 4ACDFD93 9784B856 27C122A5 E01CACFB AEE35360 432CC6E5 35A5EF6C

DA17AA22 AB79F9DD 40AA1110 0D32B60A FF386552 9254FEC4 389B1E6C C9C0A4A6

E08CC317 D3FC7267 2C0ADD07 096DFB7E E3070723 78D056D0 FF2226C5 C0E5BEEC

9C091A72 CFBA7897 A588FD2F 53E91932 7C56826A

quit

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934

3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305

43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720

526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030

82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D

CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520

1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE

4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC

7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188

68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191

C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44

DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201

06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85

4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500

03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905

604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B

D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8

467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C

7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B

5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678

80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB

418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

D697DF7F 28

quit

!

crypto pki certificate pool

cabundle nvram:ios_core.p7b

!

no license feature hseck9

license udi pid C1111-8PWB sn

license boot level securityk9

memory free low-watermark processor 66007

!

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

enable secret 9

!

username admin privilege 15 secret 9

!

redundancy

mode none

!

vlan internal allocation policy ascending

!

class-map type inspect match-any INSIDE-TO-OUTSIDE_cmap_app

match protocol http

match protocol https

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all INSIDE-TO-OUTSIDE_cmap

match access-group name INSIDE-TO-OUTSIDE_acl

match class-map INSIDE-TO-OUTSIDE_cmap_app

!

policy-map type inspect INSIDE-TO-OUTSIDE_policy

class type inspect INSIDE-TO-OUTSIDE_cmap

inspect

class class-default

drop log

!

zone security INSIDE

description Zone for inside interfaces

zone security OUTSIDE

description Zone for outside interfaces

zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-TO-OUTSIDE_policy

!

interface GigabitEthernet0/0/0

description WAN 1

ip address xxx.xxx.xxx.xxx 255.255.255.252

ip nat outside

zone-member security OUTSIDE

negotiation auto

!

interface GigabitEthernet0/0/1

no ip address

zone-member security OUTSIDE

media-type rj45

negotiation auto

!

interface GigabitEthernet0/1/0

description To Core Switch

switchport access vlan 250

zone-member security INSIDE

!

interface GigabitEthernet0/1/1

zone-member security INSIDE

!

interface GigabitEthernet0/1/2

zone-member security INSIDE

!

interface GigabitEthernet0/1/3

zone-member security INSIDE

!

interface GigabitEthernet0/1/4

zone-member security INSIDE

!

interface GigabitEthernet0/1/5

zone-member security INSIDE

!

interface GigabitEthernet0/1/6

zone-member security INSIDE

!

interface GigabitEthernet0/1/7

zone-member security INSIDE

!

interface Wlan-GigabitEthernet0/1/8

zone-member security INSIDE

!

interface Vlan1

description Default

ip address 192.168.1.1 255.255.255.0

zone-member security INSIDE

!

interface Vlan250

description WAN

ip address 192.168.250.10 255.255.255.0

ip nat inside

zone-member security INSIDE

!

ip http server

ip http authentication local

ip http secure-server

ip forward-protocol nd

ip nat inside source list NAT_acl interface GigabitEthernet0/0/0 overload

ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 71.37.144.146

ip route 192.168.10.0 255.255.255.0 192.168.250.1

ip route 192.168.40.0 255.255.254.0 192.168.250.1

ip route 192.168.50.0 255.255.255.0 192.168.250.1

ip route 192.168.60.0 255.255.255.0 192.168.250.1

ip route 192.168.70.0 255.255.255.0 192.168.250.1

ip route 192.168.80.0 255.255.255.0 192.168.250.1

ip route 192.168.100.0 255.255.255.0 192.168.250.1

!

ip access-list extended INSIDE-TO-OUTSIDE_acl

1 permit ip 192.168.1.0 0.0.0.255 any

10 permit ip 192.168.10.0 0.0.0.255 any

40 permit ip 192.168.40.0 0.0.1.255 any

50 permit ip 192.168.50.0 0.0.0.255 any

60 permit ip 192.168.60.0 0.0.0.255 any

70 permit ip 192.168.70.0 0.0.0.255 any

80 permit ip 192.168.80.0 0.0.0.255 any

100 permit ip 192.168.100.0 0.0.0.255 any

250 permit ip 192.168.250.0 0.0.0.255 any

ip access-list extended NAT_acl

1 permit ip 192.168.1.0 0.0.0.255 any

10 permit ip 192.168.10.0 0.0.0.255 any

40 permit ip 192.168.40.0 0.0.1.255 any

50 permit ip 192.168.50.0 0.0.0.255 any

60 permit ip 192.168.60.0 0.0.0.255 any

70 permit ip 192.168.70.0 0.0.0.255 any

80 permit ip 192.168.80.0 0.0.0.255 any

100 permit ip 192.168.100.0 0.0.0.255 any

250 permit ip 192.168.250.0 0.0.0.255 any

!

route-map track-primary-if permit 1

match ip address 197

set interface GigabitEthernet0/0/0

!

control-plane

!

banner login ^CLewis Home Edge Router^C

!

line con 0

transport input none

stopbits 1

line vty 0 4

length 0

transport input ssh

line vty 5 14

transport input ssh

!

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

active

destination transport-method http

ntp server 0.ciscome.pool.ntp.org

ntp server 1.ciscome.pool.ntp.org

ntp server 2.ciscome.pool.ntp.org

!

end

MHM Cisco World · ‎01-01-2024

for which come first L4 or L7
I recommend and as link you share in appendix
make two policy line one for L4 and other for L7
and order is L4 then L7.
In End your best friend here is <Router#show policy-map type inspect zone-pair>
this make you adjust the order and allow protocol you need if you see any drop or issue in traffic
MHM

Rob Ingram · ‎01-01-2024

@jeremy0463 For your "Web_app" class map you should reorder you match protocols. FTP should be above TCP, otherwise the
FTP connection is going to match on TCP and not treated as an FTP connection, this would probably cause problems with FTP.

On "self_Web_app" you cannot match on L7 protocol "ftp" and inspect on a self zone.

Using a "deny ip any any" on "Web_self_acl" means traffic will not match class-map "Web_self" and will subsequently be dropped by class-default - not sure that was your intention?

jeremy0463 · ‎01-01-2024

Oh yeah, I remember reading that somewhere about order for ftp. Noted. I will reorder those.

On the layer 7 inspection part, would this work:

ip access-list extended self_Web_acl

permit ip any any

class-map type inspect match-any self_Web_app

match protocol tcp

match protocol udp

match protocol ftp

match protocol icmp

class-map type inspect match-all self_Web

match class-map self_Web_app

match access-group name self_Web_acl

policy-map type inspect self-OUTSIDE-POLICY

class type inspect self_Web

pass

class class-default

drop log

zone-pair security self-OUTSIDE source self destination OUTSIDE

service-policy type inspect self-OUTSIDE-POLICY

And on the last part, yes I intended to drop all traffics grout outside to self for now until I can get around to setting up vpn. I’ll start another post for that eventually.

jeremy0463 · ‎01-01-2024

Plus swapping the protocol order, forgot to do that before posting

Rob Ingram · ‎01-01-2024

@jeremy0463 "pass" would work but it will bypass any inspection, so therefore in this instance (outside to self) it makes no difference.to the order. The order was only relevant for inspection of inside to outside traffic that i mentioned earlier.

jeremy0463 · ‎01-01-2024

Oh ok I gotcha, so maybe like MHM suggested, separate the L4 L7 traffic into two different class maps and inspect the L4 traffic first in the self zone? Although I am only really passing vpn anyway and denying everything else

Rob Ingram · ‎12-31-2023

@jeremy0463 for outside to self policy map just reference the class-default class which will drop the traffic from outside to self, as per your requirements.

jeremy0463 · ‎01-01-2024

One more thing to note. I read at the following link that “As soon as you configure one zone-pair that involves the Self-Zone traffic from any zone to the Self or from the Self to any zone will be filtered”. If I’m understanding this correctly, it means that I’m going to have to go ahead and configure inside-to-self and self-to-inside as well. The fact that I have at least one zone pair that includes self (outside-to-self and self-to-inside) means that all zones are filtered and there will be no traffic between self and inside even if not defined if this is right. See link:

https://community.cisco.com/t5/security-knowledge-base/zbfw-self-zone-integration/ta-p/3154572

Sarahtaylor69 · ‎01-01-2024

agreed