cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3868
Views
0
Helpful
40
Replies

Perimeter interface ACL

Robert Craig
Level 3
Level 3

I want to lock down my router that connects to the cable modem. Now, I thought it would be simple to just block everything incoming via an ACL, but as soon as I applied the below ACL, even the clients that are being NAT'd couldn't get to the internet. This router is performing NAT for the internal network, as well as terminating client/network IPSEC tunnels. Any ideas on how to approach this?

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

! Prevent LAND Attack

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

40 Replies 40

That’s what I thought. I don’t have that option. Mike, if you want, we can do a join.me so you can see my screen.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Do you have this device under contract? I can open you a ticket and we can look it on a webex.

Mike

Mike

No, this is a home device I bought from ebay. http://join.me is free from logmein

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

I see, is there a way that you can attach the configuration here? Removing classify information... I think I can find the issue by looking at it (if a configuration issue exists)

Mike

No problem. I think I removed everything.

core_router#show run

Building configuration...

Current configuration : 7804 bytes

!

! Last configuration change at 12:21:34 Arizona Thu Dec 15 2011 by craigrobert

! NVRAM config last updated at 12:21:22 Arizona Thu Dec 15 2011 by craigrobert

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname core_router

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXX

!

clock timezone Arizona -7

aaa new-model

!

!

aaa group server radius RadiusServers

server 192.168.1.252 auth-port 1812 acct-port 1813

!

aaa authentication login default group RadiusServers local

aaa authentication login vty_ssh group RadiusServers local

aaa authentication enable default enable

aaa authorization network default group RadiusServers local

aaa accounting exec default start-stop group RadiusServers

aaa session-id common

ip subnet-zero

ip cef

!

!

ip domain name craig.net

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

ip multicast-routing

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW sip

ip inspect name FW icmp

ip audit po max-events 100

!

!

!

!

voice service voip

fax protocol pass-through g711ulaw

h323

sip

!

!

!

!

!

!

!

!

!

username craigrobertlee privilege 15 password 7 XXX

!

!

ip ssh time-out 60

ip ssh source-interface FastEthernet0/1

ip ssh rsa keypair-name craigkey

!

class-map match-any VOIP_TRAFFIC

match access-group 101

!

!

policy-map VOIP_POLICY

class VOIP_TRAFFIC

bandwidth 1000

class class-default

fair-queue

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key XXX address 174.79.107.62 no-xauth

crypto isakmp key XXX address 184.179.97.121 no-xauth

!

crypto isakmp client configuration group vpnclient

key XXX

dns 192.168.1.252

domain atw.local

pool VPN_Client

acl 177

!

!

crypto ipsec transform-set SET1 esp-3des esp-md5-hmac

crypto ipsec transform-set SET2 esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set SET2

qos pre-classify

!

!

crypto map ipsec-maps client authentication list default

crypto map ipsec-maps isakmp authorization list default

crypto map ipsec-maps client configuration address respond

crypto map ipsec-maps 10 ipsec-isakmp

set peer 174.79.X.X

set security-association idle-time 60

set transform-set SET2

match address 102

qos pre-classify

crypto map ipsec-maps 20 ipsec-isakmp

set peer 184.179.X.X

set security-association idle-time 60

set transform-set SET1

match address 103

qos pre-classify

crypto map ipsec-maps 30 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface Loopback0

ip address 192.168.0.5 255.255.255.255

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

bandwidth 5000

ip address dhcp

ip access-group 150 in

ip nat outside

ip inspect FW out

speed 100

full-duplex

crypto map ipsec-maps

service-policy output VOIP_POLICY

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.252

ip nat inside

speed 100

full-duplex

!

ip local pool VPN_Client 192.168.0.129 192.168.0.140

ip nat inside source route-map nonat interface FastEthernet0/0 overload

no ip http server

no ip http secure-server

ip classless

ip route 192.168.1.0 255.255.255.0 192.168.0.2

ip route 192.168.2.0 255.255.255.0 192.168.0.2

ip route 192.168.3.0 255.255.255.0 192.168.0.2

!

!

ip radius source-interface FastEthernet0/1

access-list 10 permit 192.168.1.254

access-list 11 permit 192.168.1.10

access-list 12 permit 192.168.0.0 0.0.255.255

access-list 12 remark SSH_ACL

access-list 101 permit udp any eq 5060 any eq 5060

access-list 101 remark VOIP_ACL

access-list 101 permit ip any any precedence critical

access-list 101 permit ip any any dscp ef

access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

access-list 102 remark ROGERS_IP_NETWORK

access-list 103 permit ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255

access-list 103 remark TTOWN_VPN

access-list 110 remark NO_NAT

access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127

access-list 110 permit ip 192.168.0.0 0.0.3.255 any

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

access-list 150 permit udp any any eq bootpc

access-list 150 permit udp any any eq bootps

access-list 150 permit udp any eq bootps any eq bootpc

access-list 150 permit udp any host 68.0.184.178 eq isakmp

access-list 150 permit udp any host 68.0.184.178 eq non500-isakmp

access-list 150 permit esp any host 68.0.184.178

access-list 150 permit icmp any any echo-reply

access-list 150 permit icmp any any time-exceeded

access-list 150 permit icmp any any unreachable

access-list 150 permit icmp any any packet-too-big

access-list 150 permit udp host 208.110.65.18 host 68.0.184.178

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any mask-request log

access-list 150 deny ip any any log

access-list 177 permit ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127

access-list 177 remark VPN_CLIENT_SPLIT_TUNNEL

no cdp run

!

route-map nonat permit 10

match ip address 110

!

snmp-server community XXX RO 11

snmp-server trap-source Loopback0

snmp-server source-interface informs Loopback0

snmp-server location Gear Closet

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps xgcp

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps config-copy

snmp-server enable traps envmon

snmp-server enable traps bgp

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps rtr

snmp-server enable traps syslog

snmp-server enable traps stun

snmp-server enable traps dlsw

snmp-server enable traps bstun

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps atm subif

snmp-server enable traps pppoe

snmp-server enable traps ipmobile

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps voice poor-qov

snmp-server enable traps dnis

snmp-server host 192.168.1.10 version 2c XXX

radius-server host 192.168.1.252 auth-port 1812 acct-port 1813 key 7 XXXX

!

!

!

!

!

line con 0

line aux 0

no exec

line vty 0 4

access-class 12 in

exec-timeout 0 0

login authentication vty_ssh

transport input ssh

transport output none

line vty 5 15

exec-timeout 0 0

no exec

transport input ssh

transport output none

!

ntp clock-period 17180387

ntp server 192.43.244.18

!

end

core_router#exit

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

The configuration seems about right, now if you dont have the ip inspect log drop-pkt, it mens that you are running a really old version:

Release
Modification

12.3(7)T1

This command was introduced.

12.3(8)T

This command was integrated into Release 12.3(8)T.

CBAC had its flaws then, so it wouldnt hurt anybody if you upgrade the Unit to a later software for further investigation.

Mike

Mike

My IOS isn’t that old.

c2600-ik9o3s3-mz.123-26.bin

This is what I got from the download section.

IP/FW/IDS PLUS IPSEC 3DES BASIC Description: Log in Required Description: Service Contract Required

c2600-ik9o3s3-mz.123-26.bin

Now, I am running a 2621(nonXM) router. I know it’s kind of old, but what do you recommend? I’ve been eyeballing a 2691, or even an 1800.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Mike,

I am starting to wonder if I should configure my IPSEC Site-to-Site Tunnels differently. After all, this entire endeavor is only causing problems with the traffic that is supposed to be encrypted. I wonder, if I create an interface, say Tunnel10 and use the below link as an example, would the router perform better? The only thing that worries me is how I would handle VPN Clients. Thoughts?

http://www.ccievault.net/index.php/config-index/47-ios-configuration/101-ios-s2s-config

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

For the IPsec clients, you can use DVTI. That can work.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

1800 Routers are fine... That platform 2621 does not support 12.4?

Mike

Mike

Nope, I have to have an XM series to support the required memory for 12.4, unless I go to a 2691. I’m thinking about an 1800 series though. I already know that I can’t even use all of my 20-25mb cable connection with the current 2621. I’m going to try to configure some tunnels and see what happens. Thanks for all of your help Mike. I will start a new thread when I have issues again.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Sounds fine....

If you need something else, just let me know.

Mike

Mike
Review Cisco Networking for a $25 gift card