07-10-2018 08:34 AM - edited 03-10-2019 01:03 AM
Hello,
This should be a simple question. I am trying to create an extended ACL to deny NTP and SNMP traffic inbound (coming from the outside/Public to the inside/Private). There is an existing extended ACL, which denys several ip blocks (deny ip 0.0.0.0 0.255.255.255 any log-input, deny ip 10.0.0.0 0.255.255.255 any log-input, deny ip 1deny ip 127.0.0.0 0.255.255.255 any log-input, ....etc). However, our pen test came back showing that NTP and SNMP traffic to some addresses (public IP addresses assigned to some internal services) were accessible.
Would creating an extended ACL denying NTP and SNMP ports do the trick?
Thanks in advance.
~zK
Solved! Go to Solution.
07-11-2018 04:11 AM
Assuming the e0/1 interface id the one connecting to the internet, the a, b & c hosts are the internet NTP servers and the y.y.y.y being the router I believe it should look like:
!
!
access-list extended ALLOW_NTP_IN
! #### Allow NTP from the internet time servers (source port NTP)
permit udp host a.a.a.a eq ntp host y.y.y.y
permit udp host b.b.b.b eq ntp host y.y.y.y
permit udp host c.c.c.c eq ntp host y.y.y.y
! #### Deny all other NTP from internet
deny udp any eq ntp any
! #### Deny anything to NTP (addresses the pen test findings)
deny udp any any eq ntp
! #### Permit all else
permit any any
!
!
interface e0/1
access-group ALLOW_NTP_IN in
!
!
This is because the internet NTP servers should be responding to NTP requests, so the source port from them would be 123 (NTP), then block any other packets coming in with source port NTP, then deny anything with destination port NTP to address the penetration test findings, then allow everything else.
Hope that makes sense and works for you.
Regards
07-10-2018 12:14 PM
Yes that would be one possible solution.
There are multiple ways to skin a cat. If you know the ports on the internal servers that should be accessible from the Internet, you could allow just those and deny all else too.
In the end it all depends on what's easier to manage.
Regards
07-10-2018 02:31 PM - edited 07-10-2018 03:11 PM
Thanks!
I need to allow just some NTP servers to access the edge router (3 specific IP addresses). The router is ASR1001-X. I was thinking about creating a simple extended ACL to permit only those public NTP servers through UDP port 123 and deny/block any UDP 123 traffic ingress. Is this the correct way of creating the ACL?
access-list extended ALLOW_NTP_IN
permit udp host a.a.a.a host y.y.y.y eq ntp
permit udp host b.b.b.b host y.y.y.y eq ntp
permit udp host c.c.c.c host y.y.y.y eq ntp
deny udp any host y.y.y.y eq ntp
permit any any
interface e0/1
access-group ALLOW_NTP_IN in
Thanks, ~zK
07-11-2018 04:11 AM
Assuming the e0/1 interface id the one connecting to the internet, the a, b & c hosts are the internet NTP servers and the y.y.y.y being the router I believe it should look like:
!
!
access-list extended ALLOW_NTP_IN
! #### Allow NTP from the internet time servers (source port NTP)
permit udp host a.a.a.a eq ntp host y.y.y.y
permit udp host b.b.b.b eq ntp host y.y.y.y
permit udp host c.c.c.c eq ntp host y.y.y.y
! #### Deny all other NTP from internet
deny udp any eq ntp any
! #### Deny anything to NTP (addresses the pen test findings)
deny udp any any eq ntp
! #### Permit all else
permit any any
!
!
interface e0/1
access-group ALLOW_NTP_IN in
!
!
This is because the internet NTP servers should be responding to NTP requests, so the source port from them would be 123 (NTP), then block any other packets coming in with source port NTP, then deny anything with destination port NTP to address the penetration test findings, then allow everything else.
Hope that makes sense and works for you.
Regards
07-11-2018 03:14 PM
@chrihussey.. thank you, sir!
Yes, you're correct in your assumption.
That makes total sense.
Thanks, again.
Best, ~zK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide