Solved: Re: 1721 Inbound ACL not working

waifurchin · ‎05-06-2004

I'm trying to design an ACL filter on our 1720 router to prevent certain tcp ports from flowing through the router.

I've written the following access-list as a test:

access-list 101 deny tcp any any eq 135 log

access-list 101 deny tcp any any eq 139 log

access-list 101 deny tcp any any eq 445 log

access-list 101 deny tcp any any eq 593 log

access-list 101 permit tcp any any

I then applied this to my Serial0 interface (which is connected to our T-1) using the following:

ip access-group 101 in

However, after doing this, writing the config to memory and restarting the router, I am still seeing packets with these destination ports getting bounced by our firewall instead of being dropped by the router.

What have I done incorrectly?

tekha · ‎05-12-2004

Remove the filters 101 and 110 from interfaces serial0 down to interface serial0.1.

like this:

interface Serial0

no ip access-group 101 in

no ip access-group 110 out

interface Serial0.1 point-to-point

ip access-group 101 in

ip access-group 110 out

This will make it work.

View solution in original post

tbaranski · ‎05-06-2004

Are you sure the packets you're seeing on the firewall aren't UDP?

waifurchin · ‎05-07-2004

According to the PIX log (an example):

Deny tcp src outside: w.x.y.z/1132 dst inside: pix_ext/137 by access-group 110

Of course, the w.x.y.z and source port are all over the board, but the rest is consistent.

Richard Burts · ‎05-07-2004

It would help to know a little bit more about the topology of your network. Is it possible that the data has a different or alternate path that allows it to get to the firewall. Or is it possible that the firewall is rejecting packets from other source addresses which do not flow through this router?

This access list will prevent any packets entering the router on serial 0 that are TCP 135, 139, 445, or 593 and will permit all other TCP packets.

I suggest that you think carefully about the last line of the access list. This will permit all TCP packets, but what about UDP packets, or ICMP packets, or routing updates? An access list like this will frequently end with permit ip any any

HTH

Rick

waifurchin · ‎05-07-2004

Single T-1 coming in to a CSU/DSU, then connected to the router via serial (v35), then out to the firewall, and from there to the LAN. No other routers. No other routes to the firewall.

I agree entirely with your last statement, and I can assure you the ACL I posted is not what I intend to use in the end, but I need to get this simple ACL working right before I move forward.

After all, if I can't even filter a couple common tcp ports correctly, there's no sense in adding additional complexity to the problem.

Richard Burts · ‎05-07-2004

If this router is the only thing connected on the segment of the outside interface of the PIX, if the serial interface is the only other interface on the router, and if the access list is properly configured inbound on the serial interface of the router then I do not see how data is getting through.

One suggestion would be to post more log messages from the PIX about what it was seeing that you think it should not see. (The one example you showed was for port 137 which is not a port that you are filtering) If we see what is getting through perhaps we can get more insight into how it is happening.

Another suggestion would be to add the log-input option on the last statement of your access-list. The packets that are getting through will create log records which include source and destination address and source and destination port. This might help understand what is getting through to the PIX.

HTH

Rick

waifurchin · ‎05-12-2004

Sorry for the delay in responding -

Current configuration:

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

memory-size iomem 25

ip subnet-zero

no ip finger

!

no ip bootp server

!

interface Serial0

no ip address

ip access-group 101 in

ip access-group 110 out

no ip unreachables

no ip directed-broadcast

no ip proxy-arp

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0.1 point-to-point

ip address a.b.c.1 255.255.255.252

ip directed-broadcast

no cdp enable

frame-relay interface-dlci 500

!

interface FastEthernet0

ip address w.x.y.4 255.255.255.248

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 a.b.c.2

!

access-list 101 deny ip w.x.y.z 0.0.0.7 any log

access-list 101 deny ip host 255.255.255.255 any log

access-list 101 deny ip host 0.0.0.0 any log

access-list 101 deny udp any any eq 135 log

access-list 101 deny udp any any eq netbios-ns log

access-list 101 deny udp any any eq netbios-dgm log

access-list 101 deny udp any any eq 139 log

access-list 101 deny udp any any eq 445 log

access-list 101 deny udp any any eq syslog log

access-list 101 permit udp any range 1 1023 w.x.y.z 0.0.0.7 gt 1023

access-list 101 permit udp any eq domain host w.x.y.2 gt 1023

access-list 101 permit udp any eq domain host w.x.y.2 eq domain

access-list 101 permit udp any eq domain host w.x.y.3 gt 1023

access-list 101 permit udp any eq domain host w.x.y.3 eq domain

access-list 101 deny udp any any log

access-list 101 deny tcp any any eq 135 log

access-list 101 deny tcp any any eq 139 log

access-list 101 deny tcp any any eq 445 log

access-list 101 deny tcp any any eq 593 log

access-list 101 permit tcp any w.x.y.z 0.0.0.7 established

access-list 101 permit tcp any host w.x.y.1 eq 10000

access-list 101 permit tcp any host w.x.y.3 eq www

access-list 101 permit tcp any host w.x.y.3 eq smtp

access-list 101 permit tcp any host w.x.y.3 eq 143

access-list 101 permit tcp any host w.x.y.3 eq 443

access-list 101 deny tcp any any log

access-list 101 permit icmp any w.x.y.z 0.0.0.7 packet-too-big

access-list 101 deny icmp any any

access-list 101 deny ip any any

!

access-list 110 permit ip w.x.y.z 0.0.0.7 any

access-list 110 deny ip any any log

!

no cdp run

!

no scheduler allocate

end

==================

Sample PIX Messages after config was put in place:

2004-05-11 00:05:17 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.84.165.21/3519 dst dmz:ns2_ext/445 by access-group "out"

2004-05-11 00:05:20 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.84.165.21/3519 dst dmz:ns2_ext/445 by access-group "out"

2004-05-11 00:05:26 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.84.165.21/3519 dst dmz:ns2_ext/445 by access-group "out"

2004-05-11 00:08:12 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:209.132.177.100/443 dst inside:pix_ext/18381 by access-group "out"

2004-05-11 00:09:06 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.203.190.137/3796 dst dmz:ns2_ext/135 by access-group "out"

2004-05-11 00:09:09 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.203.190.137/3796 dst dmz:ns2_ext/135 by access-group "out"

2004-05-11 00:12:21 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.84.165.21/2598 dst dmz:vpn_ext/445 by access-group "out"

2004-05-11 00:12:24 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.84.165.21/2598 dst dmz:vpn_ext/445 by access-group "out"

2004-05-11 00:12:30 Local5.Warning 192.168.1.254 %PIX-4-106023: Deny tcp src outside:66.84.165.21/2598 dst dmz:vpn_ext/445 by access-group "out"

tekha · ‎05-12-2004

Remove the filters 101 and 110 from interfaces serial0 down to interface serial0.1.

like this:

interface Serial0

no ip access-group 101 in

no ip access-group 110 out

interface Serial0.1 point-to-point

ip access-group 101 in

ip access-group 110 out

This will make it work.

waifurchin · ‎05-12-2004

Incredibly awesome!

Thank you much.

Are there points or something that can be awarded?