12-13-2011 07:44 PM - edited 03-11-2019 03:01 PM
I want to lock down my router that connects to the cable modem. Now, I thought it would be simple to just block everything incoming via an ACL, but as soon as I applied the below ACL, even the clients that are being NAT'd couldn't get to the internet. This router is performing NAT for the internal network, as well as terminating client/network IPSEC tunnels. Any ideas on how to approach this?
access-list 150 remark OUTSIDE_TO_INSIDE_ACL
! Prevent LAND Attack
access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log
! IP address spoof protection
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
access-list 150 deny ip 10.0.0.0 0.255.255.255 any log
access-list 150 deny ip 0.0.0.0 0.255.255.255 any log
access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
access-list 150 deny ip 192.168.0.0 0.0.255.255 any log
access-list 150 deny ip 192.0.2.0 0.0.0.255 any log
access-list 150 deny ip 169.254.0.0 0.0.255.255 any log
access-list 150 deny ip host 255.255.255.255 any log
access-list 150 deny ip host 0.0.0.0 any log
! ICMP filters
access-list 150 deny icmp any any redirect log
access-list 150 deny icmp any any echo log
access-list 150 deny icmp any any mask-request log
! Deny all and log port numbers
access-list 150 deny tcp any range 0 65535 any range 0 65535 log
access-list 150 deny udp any range 0 65535 any range 0 65535 log
access-list 150 deny ip any any log
12-15-2011 11:04 AM
That’s what I thought. I don’t have that option. Mike, if you want, we can do a join.me so you can see my screen.
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 11:13 AM
Do you have this device under contract? I can open you a ticket and we can look it on a webex.
Mike
12-15-2011 11:15 AM
No, this is a home device I bought from ebay. http://join.me is free from logmein
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 11:20 AM
I see, is there a way that you can attach the configuration here? Removing classify information... I think I can find the issue by looking at it (if a configuration issue exists)
12-15-2011 11:27 AM
No problem. I think I removed everything.
core_router#show run
Building configuration...
Current configuration : 7804 bytes
!
! Last configuration change at 12:21:34 Arizona Thu Dec 15 2011 by craigrobert
! NVRAM config last updated at 12:21:22 Arizona Thu Dec 15 2011 by craigrobert
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname core_router
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXX
!
clock timezone Arizona -7
aaa new-model
!
!
aaa group server radius RadiusServers
server 192.168.1.252 auth-port 1812 acct-port 1813
!
aaa authentication login default group RadiusServers local
aaa authentication login vty_ssh group RadiusServers local
aaa authentication enable default enable
aaa authorization network default group RadiusServers local
aaa accounting exec default start-stop group RadiusServers
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name craig.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ip multicast-routing
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW sip
ip inspect name FW icmp
ip audit po max-events 100
!
!
!
!
voice service voip
fax protocol pass-through g711ulaw
h323
sip
!
!
!
!
!
!
!
!
!
username craigrobertlee privilege 15 password 7 XXX
!
!
ip ssh time-out 60
ip ssh source-interface FastEthernet0/1
ip ssh rsa keypair-name craigkey
!
class-map match-any VOIP_TRAFFIC
match access-group 101
!
!
policy-map VOIP_POLICY
class VOIP_TRAFFIC
bandwidth 1000
class class-default
fair-queue
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXX address 174.79.107.62 no-xauth
crypto isakmp key XXX address 184.179.97.121 no-xauth
!
crypto isakmp client configuration group vpnclient
key XXX
dns 192.168.1.252
domain atw.local
pool VPN_Client
acl 177
!
!
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
crypto ipsec transform-set SET2 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set SET2
qos pre-classify
!
!
crypto map ipsec-maps client authentication list default
crypto map ipsec-maps isakmp authorization list default
crypto map ipsec-maps client configuration address respond
crypto map ipsec-maps 10 ipsec-isakmp
set peer 174.79.X.X
set security-association idle-time 60
set transform-set SET2
match address 102
qos pre-classify
crypto map ipsec-maps 20 ipsec-isakmp
set peer 184.179.X.X
set security-association idle-time 60
set transform-set SET1
match address 103
qos pre-classify
crypto map ipsec-maps 30 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
ip address 192.168.0.5 255.255.255.255
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
bandwidth 5000
ip address dhcp
ip access-group 150 in
ip nat outside
ip inspect FW out
speed 100
full-duplex
crypto map ipsec-maps
service-policy output VOIP_POLICY
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.252
ip nat inside
speed 100
full-duplex
!
ip local pool VPN_Client 192.168.0.129 192.168.0.140
ip nat inside source route-map nonat interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.0.2
ip route 192.168.2.0 255.255.255.0 192.168.0.2
ip route 192.168.3.0 255.255.255.0 192.168.0.2
!
!
ip radius source-interface FastEthernet0/1
access-list 10 permit 192.168.1.254
access-list 11 permit 192.168.1.10
access-list 12 permit 192.168.0.0 0.0.255.255
access-list 12 remark SSH_ACL
access-list 101 permit udp any eq 5060 any eq 5060
access-list 101 remark VOIP_ACL
access-list 101 permit ip any any precedence critical
access-list 101 permit ip any any dscp ef
access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255
access-list 102 remark ROGERS_IP_NETWORK
access-list 103 permit ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255
access-list 103 remark TTOWN_VPN
access-list 110 remark NO_NAT
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127
access-list 110 permit ip 192.168.0.0 0.0.3.255 any
access-list 150 remark OUTSIDE_TO_INSIDE_ACL
access-list 150 permit udp any any eq bootpc
access-list 150 permit udp any any eq bootps
access-list 150 permit udp any eq bootps any eq bootpc
access-list 150 permit udp any host 68.0.184.178 eq isakmp
access-list 150 permit udp any host 68.0.184.178 eq non500-isakmp
access-list 150 permit esp any host 68.0.184.178
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any unreachable
access-list 150 permit icmp any any packet-too-big
access-list 150 permit udp host 208.110.65.18 host 68.0.184.178
access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
access-list 150 deny ip 169.254.0.0 0.0.255.255 any log
access-list 150 deny ip host 255.255.255.255 any log
access-list 150 deny ip host 0.0.0.0 any log
access-list 150 deny icmp any any redirect log
access-list 150 deny icmp any any mask-request log
access-list 150 deny ip any any log
access-list 177 permit ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127
access-list 177 remark VPN_CLIENT_SPLIT_TUNNEL
no cdp run
!
route-map nonat permit 10
match ip address 110
!
snmp-server community XXX RO 11
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server location Gear Closet
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps xgcp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps config-copy
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps stun
snmp-server enable traps dlsw
snmp-server enable traps bstun
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps atm subif
snmp-server enable traps pppoe
snmp-server enable traps ipmobile
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice poor-qov
snmp-server enable traps dnis
snmp-server host 192.168.1.10 version 2c XXX
radius-server host 192.168.1.252 auth-port 1812 acct-port 1813 key 7 XXXX
!
!
!
!
!
line con 0
line aux 0
no exec
line vty 0 4
access-class 12 in
exec-timeout 0 0
login authentication vty_ssh
transport input ssh
transport output none
line vty 5 15
exec-timeout 0 0
no exec
transport input ssh
transport output none
!
ntp clock-period 17180387
ntp server 192.43.244.18
!
end
core_router#exit
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 12:07 PM
The configuration seems about right, now if you dont have the ip inspect log drop-pkt, it mens that you are running a really old version:
Release | Modification |
---|---|
12.3(7)T1 | This command was introduced. |
12.3(8)T | This command was integrated into Release 12.3(8)T. |
CBAC had its flaws then, so it wouldnt hurt anybody if you upgrade the Unit to a later software for further investigation.
Mike
12-15-2011 12:27 PM
My IOS isn’t that old.
c2600-ik9o3s3-mz.123-26.bin
This is what I got from the download section.
IP/FW/IDS PLUS IPSEC 3DES BASIC Description: Log in Required Description: Service Contract Required
c2600-ik9o3s3-mz.123-26.bin
Now, I am running a 2621(nonXM) router. I know it’s kind of old, but what do you recommend? I’ve been eyeballing a 2691, or even an 1800.
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 01:16 PM
Mike,
I am starting to wonder if I should configure my IPSEC Site-to-Site Tunnels differently. After all, this entire endeavor is only causing problems with the traffic that is supposed to be encrypted. I wonder, if I create an interface, say Tunnel10 and use the below link as an example, would the router perform better? The only thing that worries me is how I would handle VPN Clients. Thoughts?
http://www.ccievault.net/index.php/config-index/47-ios-configuration/101-ios-s2s-config
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 01:24 PM
For the IPsec clients, you can use DVTI. That can work.
1800 Routers are fine... That platform 2621 does not support 12.4?
Mike
12-15-2011 01:31 PM
Nope, I have to have an XM series to support the required memory for 12.4, unless I go to a 2691. I’m thinking about an 1800 series though. I already know that I can’t even use all of my 20-25mb cable connection with the current 2621. I’m going to try to configure some tunnels and see what happens. Thanks for all of your help Mike. I will start a new thread when I have issues again.
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 01:45 PM
Sounds fine....
If you need something else, just let me know.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide