Solved: Hello, - Page 2

julijan.klancnik · ‎05-12-2016

Hello,

I am trying to create ACL on Cisco router which will allow all traffic from inside to internet and only allow specific traffic from internet to inside.

This is what I've configured and puted on Router's interface connected to ISP:

    10 permit icmp any any (411 matches)
    20 permit tcp "my public IP" any eq 3389 (46400 matches)
    30 permit tcp "my public IP" any eq 22 (9185 matches)
    40 permit ip "my public IP" any (3207 matches)
    50 permit tcp any any eq smtp (11 matches)
    60 permit tcp any any eq www (56 matches)
    70 permit tcp any any eq 443 (29 matches)
    80 permit tcp any any eq domain (5 matches)
    81 permit udp any any eq domain (7 matches)
    82 permit udp any eq domain any (10564 matches)
    83 permit tcp any eq domain any (10 matches)
    90 permit udp any any eq ntp (13317 matches)
    95 permit tcp 192.168.0.0 0.0.0.255 any

Interface Dialer 1

ip Access-group 101 IN

So I can connect from my public IP to Customer's LAN via RDP and SSH (which is o.k.), but Customer's users can not Access Internet (which is not o.k.)!

Users are all in the same Vlan. Between Vlan interface and Outside interface (dialer 1) is PAT.

There are no other ALC on the router exept the one for PAT.

What am I missing here?

Thanks.

tyrone.donnelly · ‎06-06-2016

Great, thank you mate!

Karsten Iwen · ‎05-13-2016

I would remove the access-group from dialer1; you will not be exposing the inside unnecessarily.

I wouldn't do it that way. There should always be a restrictive ACL configured.

First, NAT is not meant to protect the internal network. Although a good NAT implementation can help, it's the wrong tool for the right job. That is the job of a firewall. (You could also hammer a nail into the wall with an electric drill, but it's better to use the tool that was designed for the needed task).

And without an ACL you still expose the router itself to the outside world with all potential vulnerabilities. Again, the restrictive ACL makes sure to only expose the services you need.

Karsten Iwen · ‎05-12-2016

What kind of router do you have? If you can run a firewall feature set, it would make the configuration much easier.

If supported, you could use the following config:

ip inspect name FW ftp
ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic

ip access-list ext OUTSIDE-IN
 deny ip any any

interface dialer 1
 ip inspect FW out
 ip access-group OUTSIDE-IN in

This config looks at (inspects) all traffic leaving to the ISP and automatically allows the return traffic. All other traffic is blocked.

julijan.klancnik · ‎05-12-2016

Hello Karsten,

I also need to allow RDP, SSH from outside (from my company) to Customer's LAN.

Can I adjust ACL Outside-in like this:

ip access-list ext OUTSIDE-IN

permit tcp "my public IP" any eq 3389
permit tcp "my public IP" any eq 22

deny ip any any

Thnx, J

Karsten Iwen · ‎05-12-2016

yes, you add all additionally needed service above the deny-rule. But typically you would also need a static translation which you don't have? I wonder why it was working ...

julijan.klancnik · ‎05-12-2016

o.k.

If you are talking about NAT, I do have configuration for that.

J

Karsten Iwen · ‎05-12-2016

ok, just thought that the below mentioned NAT-config was all that you have.

julijan.klancnik · ‎05-12-2016

I have some static NAT statements for RDP.... just didn't post them...

I Will try with your suggestion, probablly I Will wait for replay from Seb (below) if he will have any other idea.

For sure, I will post the result.

Thank you,

J

julijan.klancnik · ‎05-13-2016

Hello,

this is what I've configured:

ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic

I've create ACL:

access-list 101 permit icmp any any
access-list 101 permit tcp "my public IP" any eq 3389
access-list 101 permit tcp "my public IP" any eq 22
access-list 101 permit udp any any eq ntp
access-list 101 deny ip any any

And configured Dialer 1:

ip access-group 101 in

ip inspect FW out

That's it. It is working. And I probably do not need "permit udp any any eq ntp" in ACL, because in FW rule is "ip inspect name FW udp router-traffic" ?

J

Karsten Iwen · ‎05-13-2016

And I probably do not need "permit udp any any eq ntp" in ACL, because in FW rule is "ip inspect name FW udp router-traffic" ?

If this rule is meant to let NTP-answers back to the router, then yes, the inspection will take care of that.

julijan.klancnik · ‎05-13-2016

I am not sure I get it right. I use public NTP servers and my router is syncing with them. So do I need :

access-list 101 permit udp any any eq ntp

or not?

Thanks,

Karsten Iwen · ‎05-13-2016

No, you don't need that line. The NTP-request is sent out and gets inspected by the router. The NTP-answer matches a "state-entry" that the router has build by the inspection. Based on this state-entry the NTP-answer is allowed. The ACL is only used when new connections arrive at the public interface, that is the incoming SSH and RDP in your case.

julijan.klancnik · ‎05-13-2016

Thanks, I understand.

Your advices were (are) really Helpfull.

J

ACL on Cisco router - Block traffic from outside, allow all from inside

Interface Dialer 1

ip Access-group 101 IN

I would remove the access-group from dialer1; you will not be exposing the inside unnecessarily.

And I probably do not need "permit udp any any eq ntp" in ACL, because in FW rule is "ip inspect name FW udp router-traffic" ?