10-05-2012 08:29 AM - edited 03-11-2019 05:05 PM
Hi
I've setup Cisco router's DNS server... via "ip dns server" which in need for inside use.. however now if I do portscan from outside it shows port 53 opened. How do I block all traffic to that 53 port from outside since i need this DNS only inside my NAT/Overload network.
I'm using 1900 series.
Solved! Go to Solution.
10-06-2012 06:41 AM
It all starts with the following config:
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-trtaffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
ip access-list extended INTERNET-IN
deny ip any any
int gig 0/0
descr Connection to internet
ip access-group INTERNET-IN in
ip inspect FW out
With that the typical internet-traffic will work; only answers to your own traffic will flow back to your router or your network.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-12-2012 04:24 AM
not with https, but if you look at http, you could attach a L7-policy where you restrict your traffic based on HTTP-Headers. You could for example only allow specific methods, deny the sessions from IE6 or search for keywords in the HTTP-payload.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-05-2012 10:07 AM
Hello Luka,
Do you have an ACL on the outside interface?
You could add one
ip access-list extended outside_in
deny udp any any eq 53
permit ip any any ( if this is what you have right now)
interface fast 0/0 ( interface connecting to internet)
ip access-group outside_in in
Regards,
Remember to rate all of our answers.
10-05-2012 10:46 AM
If that system is connected to the internet, you should activate at least the IOS-Firewall (SEC-License needed) to control the traffic that flows to your network. With that by default all ports are closed and only return-traffic can enter your network.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-05-2012 01:54 PM
Hi,
by default with ZBF traffic destined to self-zone or coming from self-zone is permitted so he'll have to configure a policy for traffic coming to self-zone from outside zone.
Regards.
Alain
Don't forget to rate helpful posts.
10-05-2012 02:14 PM
I wouldn't reccomend ZBF in that case because it's too complicated. CBAC would be more then enough.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-06-2012 05:37 AM
Here is my current running config.
What do you suggest to do.. for now i've forwarded 53 port to dummy IP address.
I have SEC license.
Technology Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None
!
! Last configuration change at 23:47:03 CEST Fri Oct 5 2012 by admin
! NVRAM config last updated at 23:47:04 CEST Fri Oct 5 2012 by admin
! NVRAM config last updated at 23:47:04 CEST Fri Oct 5 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname r0
!
boot-start-marker
boot system flash:c1900-universalk9-mz.spa.151-4.m5.bin
boot-end-marker
!
!
enable secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.100
ip dhcp excluded-address 192.168.10.254
!
ip dhcp pool vlan10
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
lease 3
!
!
no ip bootp server
ip host www.mydomain.net 192.168.20.2
ip name-server 84.255.209.79
ip name-server 84.255.210.79
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FCZ1606C28X
!
!
username admin secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
description HOME VLAN
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
description SERVERS VLAN
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
description VM VLAN
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.40
description MANAGEMENT VLAN
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.20.2 22
ip nat inside source static tcp 1.1.1.1 53
ip nat inside source static tcp 192.168.20.2 80
ip nat inside source static tcp 192.168.20.2 443
ip route 0.0.0.0 0.0.0.0
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
exec-timeout 0 0
no exec
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp server 193.2.1.117
end
10-06-2012 06:41 AM
It all starts with the following config:
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-trtaffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
ip access-list extended INTERNET-IN
deny ip any any
int gig 0/0
descr Connection to internet
ip access-group INTERNET-IN in
ip inspect FW out
With that the typical internet-traffic will work; only answers to your own traffic will flow back to your router or your network.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-06-2012 08:12 AM
How do i incorporate that into my config i need 22, 80 and 443 forwarded to 192.168.20.2 ? i mean opened.
If i do:
ip access-list extended INTERNET-IN
permit tcp any host 192.168.20.2 eq 22
permit tcp any host 192.168.20.2 eq 80
permit tcp any host 192.168.20.2 eq 443
deny ip any any
Would that make those ports open from outside to server on inside which has IP 192.168.20.2?
10-06-2012 05:06 PM
karsten, I've applied your settings.. it works like charm! :>
anyway in ACL list i had to use my static outside IP.. and not the internal NAT one :>
I've deleted nat forwarding of port 53 to dummy address... now when I do portscan from outside.. 53 seems closed.
Here is config:
ip access-list extended INTERNET-IN
permit tcp any host MY_STATIC_OUTSIDE_IP eq 22
permit tcp any host MY_STATIC_OUTSIDE_IP eq 80
permit tcp any host MY_STATIC_OUTSIDE_IP eq 443
deny ip any any
Cheers!
10-07-2012 12:26 AM
anyway in ACL list i had to use my static outside IP.. and not the internal NAT one
yes, that's caused by the order of operation in IOS:
http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
When the packet enters the router, then the ACL is inspected before the NAT is done on the packet.
Have fun with your new firewall ... ;-)
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-11-2012 11:51 PM
Hi
I have another question.. now i've added to inspect incoming http, https, ssh traffic... but i'm not really sure do i get any benefit of doing so? Is it worth it? :> Below is the current running config.
ip inspect name CBAC-OUT tcp router-traffic
ip inspect name CBAC-OUT udp router-traffic
ip inspect name CBAC-OUT icmp router-traffic
ip inspect name CBAC-OUT ftp
ip inspect name CBAC-IN http
ip inspect name CBAC-IN https
ip inspect name CBAC-IN ssh
!
!
!
!
interface GigabitEthernet0/0
ip address
ip access-group INBOUND in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CBAC-IN in
ip inspect CBAC-OUT out
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip access-list extended INBOUND
permit tcp any host
permit tcp any host
permit tcp any host
10-12-2012 03:37 AM
There are two reasons for activating the inspections:
1) Make the traffic work. Thats the case for FTP or other multi-channel protocols. The router must look into the traffic to find the ports on which the data-channel will be established.
2) Apply an extra protection for the traffic. Thats the caes with http, pop3, imap, and so on. These are only needed if you want to filter your traffic based on upper-layer information.
So if your traffic works, you don't need any more inspections.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-12-2012 03:47 AM
So basically I'm not gaining anything by inspecting incoming traffic to my HTTPS server?
10-12-2012 04:24 AM
not with https, but if you look at http, you could attach a L7-policy where you restrict your traffic based on HTTP-Headers. You could for example only allow specific methods, deny the sessions from IE6 or search for keywords in the HTTP-payload.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-12-2012 05:19 AM
Thanks for clarifying things up.. i've removed that inbound inspection rules marked with red.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide