Re: Firewalling ports that are forwarded on 800 series or 1800 s

Rod.Evans · ‎09-30-2010

Hi,

I am using an 1801 for test purposes. The router is setup to nat a 192.168.x.y/24 network. Connectivity/browsing/NAT/VPN/Portforwarding all work fine. The router has a single static IP.

I have opened open port 21 to forward to forward to my 192.168.x.y host on the my PC behind the router and all that works fine. I can connect to the FTP server.

What I would like to do is only allow a single host to connect to the FTP port. I have tried doing this with access lists and have tried to set this up using the web configuration tool but it does not work.

Can anyone help me out with a sample config as to how I can achieve this (without buying an ASA )

Thanks

djh278778 · ‎09-30-2010

Hello,

I am assuming your FTP server is behind the firewall (inside network) and you want a single host somewhere on the outsided network to gain outside to inside access. You should already have some kind of access list blocking outside to inside traffic, all you should have to do is add a line (probably somewhere in the begining of the list) permiting the specific host on that port. "access-list 100 permit tcp host x.x.x.x host y.y.y.y eq ftp". Where x.x.x.x is the source address of the outside host coming in and y.y.y.y would be the public address that is Nating or port forwarding to your internal host. Again, where this statement is placed in the list can determine whether it works or not. Maybe you can post a copy of your config or your access list and Nat statements.

Rod.Evans · ‎10-01-2010

Hi djh278778,

Thanks for your reply.

Yes, the FTP server is 192.168.2.20 so behind the router and I am trying to get a single host from the outside to gain access to the FTP server. I will paste a config below but the access list appears appears to be ignored as I can still connect to the external IP from anywhere as opposed to just from my single host.

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rtr111
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret secretpassword
!
aaa new-model
!
aaa session-id common
!
dot11 syslog

ip cef

!
no ip domain lookup
ip domain name domain.co.uk
!
multilink bundle-name authenticated
isdn switch-type basic-net3
!
!
username password

!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 1.2.3.4
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map remotes 2111 ipsec-isakmp
set peer 1.2.3.4
set transform-set myset
match address 2112
!
archive
log config
hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Vlan1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip access-group ftprule out
ip nat outside
no ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test2@dsldomain.co.uk
ppp chap password test
crypto map remotes
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 125 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.20 21 5.6.7.8 21 extendable
!
ip access-list extended ftprule
permit tcp any any established
permit tcp host 9.10.11.2 gt 1024 host 5.6.7.8 eq ftp
deny   tcp any any eq ftp
!
access-list 24 permit x.x.x.x
access-list 24 deny   any
access-list 125 deny   ip 192.168.2.0 0.0.0.255 y.y.y.y 0.0.0.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 2111 permit ip 192.168.111.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
snmp-server community string RO 24
snmp-server enable traps tty
no cdp run
!

control-plane

!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 24 in
privilege level 15
transport input telnet ssh
!
end

If I change "ip access-group ftprule out" to "ip access-group ftprule in" I lose all connectivity.

Thanks

Panos Kampanakis · ‎10-01-2010

So you want to open inbound ftp to 5.6.7.8 2 that is translated to 192.168.2.20 from a specific host?

Your line "permit tcp host 9.10.11.2 gt 1024 host 5.6.7.8 eq ftp" in the ACL allows 9.10.11.2 to do that. But the ACL is applied outbound. Don't you want to allow inbound FTP? Also one more thing to keep in mind is that the FTP data will be transferred on higher ports or port 20 depending on if you have active or passive FTP. So you might need to do FTP inspection too so that the firewall will open up for the FTP data. You might be able to settle that with the ACL too though.

Please clarify if you want to open up inbound FTP to 5.6.7.8 2 to work or outbound from 5.6.7.8 2 to 9.10.11.2.

I hope it helps.

PK

Rod.Evans · ‎10-01-2010

Hi,

Thanks for your response.

Yes, I want to open an inbound ftp connection to 5.6.7.8 2 from a single external host.

If I change the ACL to inbound on the dialer I lose all connectivity.

Thanks

djh278778 · ‎10-01-2010

OK, here are the issues that I see: In order to filter this traffic the way you are describing, it needs to be done inbound to the router. This means that the ACL needs to be applied in the "in" direction of the outside interface. (I am surprised you are not haveing more issues with traffic getting out of the router at all the way it looks right now). Anyway, when you change it to "in" you would loose connectivety. Take a look at what it is allowing. It is basically denying everything except FTP from a single host and already established sessions for TCP. You would probably have problems just resolving domain names alone because DNS uses UDP. Really what you would have to do here is an IOS based firewall (which is to use your "ip inspect name xyz service" statements or Zone based Firewall). This would allow all of your originated traffic from the inside to be returned back through the firewall. Then you would apply your ACL in the inbound direction but without the permit tcp any any established line.

Rod.Evans · ‎10-01-2010

Hi,

I don't suppose you have any example configs for what I am trying to do?

Thanks

Panos Kampanakis · ‎10-01-2010

To summarize the suggested config

ip inspect FW tcp

ip inspect FW udp

ip inspect FW ftp

interface Dialer0

ip access-group ftprule in

ip inspect FW out

ip access-list extended ftprule

permit tcp host 9.10.11.2 gt 1024 host 5.6.7.8 eq ftp

Let us know if it solves it.

PK

djh278778 · ‎10-01-2010

When you put in your IP inspect statements in, do a "?" and use all the services you can.

Firewalling ports that are forwarded on 800 series or 1800 series routers