Re: Perimeter interface ACL

Robert Craig · ‎12-13-2011

I want to lock down my router that connects to the cable modem. Now, I thought it would be simple to just block everything incoming via an ACL, but as soon as I applied the below ACL, even the clients that are being NAT'd couldn't get to the internet. This router is performing NAT for the internal network, as well as terminating client/network IPSEC tunnels. Any ideas on how to approach this?

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

! Prevent LAND Attack

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

Julio Carvajal · ‎12-13-2011

Hello Robert,

The situation with the routers is that they cannot perform stateful inspection by default ( like an ASA firewall) so you need to create an access-control entry for all the connections you want to allow from the outside to the inside, even if they are a reply from a connection initiated on the inside of your network.

Do you see my point here?

So for example there is one workaround on this, you can create a reflexive access-list on the inside interface of your router so the replies for request or packets being sent from the inside to the outside are allowed by default no matter what access-list is applied on the oustide interface.

The reflexives access-list work with the tcp protocol, so for example if you want to allow internet access and you are using a public dns ( UDP/53) the reflexive access-list will not work for that protocol (UDP) so you will need to permit that traffic on the outside interface.

Here is a link if you want to go deeper with this particular feature

http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/screflex.html#wp3627

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Maykol Rojas · ‎12-13-2011

Hi Robert,

Rememeber that this is not stateful firewall. Hence, you will need to permit the return traffic from the internet on port 80 to your clients.

Something to continue using this ACL but still permit anything from inside network to outside, you can apply CBAC (some sort of reflective acl) which will allow packets to return if the sessions were created on a trusted interface.

You can do the following (assuming the acl is applied on the interface that connects to the internet)

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

Get into the interface and put the following command:

ip inspect FW out

Then apply the ACL and let me know how it goes.

Mike

Robert Craig · ‎12-13-2011

OK, I think I'm following you. Apply the ACL on the exterior int.

int f0/0 <<<----one going to cable modem

ip access-group 151 in

Then create the inspect rules (this is how I came across the ACL in the first place is trying to implement the inspect rules)

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

Then go back to int f0/0

ip inspect FW out

About right? This would allow any traffic sourcing from inside the network (either from the routers crypto map sessions or a client on the LAN) to go out and come back in because it came from inside first.

Maykol Rojas · ‎12-13-2011

Not quite right for router traffic.

Traffic initiating from the inside subnet, the return traffic would be allowed without the need to explicitly permit it on the ACL.

You may need to allow IPsec and tunnel protocols on the ACL itself for the router to build the tunnels correctly (I dont think it much as a security problem since Phase 1 and two needs to be completed for the VPN to work)

The rest is fine.

Let me know if you have doubts.

Mike

Robert Craig · ‎12-13-2011

OK, it worked. Nothing internally died (knock on wood). Now, I can't test it right now, but I am assuming remote VPN clients will not be able to connect now. This router serves them as well. How do I allow them in? Would it be something like the below at the top of the ACL?

access-list 151 permit udp any eq 500 any

Maykol Rojas · ‎12-13-2011

Hey,

Not quite, it would be more like allowing them to connect to the router, so it would be like this:

Access-list 151 permit udp any eq 500.

access-list 151 permit udp any eq 4500 (in case the devices are behind nat)

access-list 151 permit esp any (for encrypted traffic)

The access list you are applying is inbound, nothing outbound, so the reply of the from the router wont be dropped by this ACL.

Let me know your inputs.

Mike

Robert Craig · ‎12-13-2011

Problem is, my ip is dynamic.

Maykol Rojas · ‎12-13-2011

Thats an issue, do you have DDNS configured?

Mike

Robert Craig · ‎12-13-2011

Ironically, I do. I'm running the windows client on a junk desktop on the LAN.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Maykol Rojas · ‎12-13-2011

Mmmm

From the top of my head, you can put the fqdn thereon the acl and configure a dns server on the router so it can query the dns server everytime the name changes...

That can work.

Mike

Robert Craig · ‎12-13-2011

Ok, that might just work. I will give it a shot tomorrow and see what happens. I'll let you know. Thanks Mike!

Maykol Rojas · ‎12-13-2011

Sure... let me know if you need any help tomorrow.

Mike

Robert Craig · ‎12-14-2011

Mike,

I added the modified ACL and it killed my IPSEC tunnels. I didn't try the client tunnels, but the network ones died and didn't come back up. Below is what I used. Don't really see why it didn't work.

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

access-list 150 permit udp any host 10.dyndns-at-home.com eq 500

access-list 150 permit udp any host 10.dyndns-at-home.com eq 4500

access-list 150 permit esp any host 10.dyndns-at-home.com

! Prevent LAND Attach

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

Robert Craig · ‎12-14-2011

OK, caviot to the previous message. I added the below to the list and the tunnels (for the most part came back up).

access-list 150 permit udp any host 10.dyndns-at-home.com eq isakmp

However, I lost the ability to ping the other sides router, even though I can browse to it's web gui and anything on that network (weird?). Also, the below command shows me nothing so I have no way of monitoring the tunnels.

show crypto isakmp sa

I don't understand why I lost ping to one interface on the other side (Its an RVS4000 so the VLAN 1 interface) and my crypto status is blank. All because of an ACL? For giggles, I rebooted the router. To make things even more complicated, the interface wouldn't pull an IP from the modem until I removed the ACL.