Solved: Blocking NTP and SNMP

zekebashi · ‎10-26-2018

Hello,

I need to block ingress ntp and snmp traffic from the Internet to a few IP blocks our company owns and live inside our network. The ACL needs to be created on an ASR1001. Here's the ACL I created but I am not 100% sure if it is correct. Do you see anything wrong with this ACL:

ip access-list extended BLOCKED_INGRESS_Trfc

10 deny ntp any 1.1.1.0 255.255.255.0 log-input
20 deny ntp any 2.2.2.0 255.255.255.0 log-input
30 deny ntp any 3.3.3.0 255.255.255.0 log-input
40 deny ntp any 4.4.4.0 255.255.255.0 log-input
50 deny snmp any 1.1.1.0 255.255.255.0 log-input
60 deny snmp any 2.2.2.0 255.255.255.0 log-input
70 deny snmp any 3.3.3.0 255.255.255.0 log-input
90 deny snmp any 4.4.4.0 255.255.255.0 log-input
permit ip any any

Thanks in advance.

~zK

Richard Burts · ‎10-26-2018

zK

You are on the right track in trying to deny specific types of traffic and then permitting any any. But the details of how you are trying to do it are not quite right. For one thing you are trying to use syntax of deny <application> <source> <destination> but the correct syntax would be more like deny udp <source> <destination> eq <application>. Both of the applications you want to block use UDP as the transport. NTP uses port 123, SNMP uses port 161 or 162. You may be able to use the application name in the ACL or you might want to use the port number.

Also in your ACL you are using the mask for a subnet (255.255.255.0) but for IOS router the mask should be wildcard (0.0.0.255).

HTH

Rick

HTH

Rick

View solution in original post

balaji.bandi · ‎10-26-2018

But these network address you mentioned belong to you ?

and they are live inside network ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zekebashi · ‎10-26-2018

That's correct. They are public IP addresses and live on the inside network.

Best, ~zK

Richard Burts · ‎10-26-2018

zK

You are on the right track in trying to deny specific types of traffic and then permitting any any. But the details of how you are trying to do it are not quite right. For one thing you are trying to use syntax of deny <application> <source> <destination> but the correct syntax would be more like deny udp <source> <destination> eq <application>. Both of the applications you want to block use UDP as the transport. NTP uses port 123, SNMP uses port 161 or 162. You may be able to use the application name in the ACL or you might want to use the port number.

Also in your ACL you are using the mask for a subnet (255.255.255.0) but for IOS router the mask should be wildcard (0.0.0.255).

HTH

Rick

HTH

Rick

zekebashi · ‎10-26-2018

Thanks for the input, Richard!

I made the correction to the ACL.

ip access-list extended BLOCKED_INGRESS_Trfc

10 deny udp any 1.1.1.0 0.0.0.255 eq ntp log-input
20 deny udp any 2.2.2.0 0.0.0.255 eq ntp log-input
30 deny udp any 3.3.3.0 0.0.0.255 eq ntp log-input
40 deny udp any 4.4.4.0 0.0.0.255 eq ntp log-input
50 deny udp any 1.1.1.0 0.0.0.255 eq snmp log-input
60 deny udp any 2.2.2.0 0.0.0.255 eq snmp log-input
70 deny udp any 3.3.3.0 0.0.0.255 eq snmp log-input
90 deny udp any 4.4.4.0 0.0.0.255 eq snmp log-input
permit ip any any

Thanks so much for your help!

Best, ~zK

Richard Burts · ‎10-26-2018

zK

The revised ACL looks much better. I do not see issues with it now.

HTH

Rick

HTH

Rick

zekebashi · ‎10-29-2018

As always, thanks for your very helpful feedback.

Best, ~zK

Richard Burts · ‎11-02-2018

zK

You are quite welcome. These communities are excellent places to learn more about networking. I hope to see you continue to be active in these communities.

HTH

Rick

HTH

Rick