cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1534
Views
0
Helpful
9
Replies

Access List Basics - Help!

spacetrance
Level 1
Level 1

I am having issues locking down a network. I have a SR520 internet facing router.

Requirments:

Network has internal Exchange server with OWA running / DC and internal DNS / RRAS for VPN.

They also are using PPTP services on Windows Server.

They have business line app that runs over ports 15430 and 15431 via a VPN connection.

Need to deny ouside traffic coming into network except for internal intiatied traffic and above items.

I enabled below access list but had to disable it. After enabling below I couldn't resolve dns queries.

List is being applied to WAN interface filtering incoming traffic.

ip access-list extended WAN-FACING-INCOMING

deny tcp any 7x.xx.xx.40 0.0.0.7 eq 3389

permit tcp any 7x.xx.xx.40 0.0.0.7 eq www

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431

permit gre any 7x.xx.xx.40 0.0.0.7

permit tcp any 7x.xx.xx.40 0.0.0.7 established

Any suggestions on other ports/ips to open up or access-list order.

9 Replies 9

Edison Ortiz
Hall of Fame
Hall of Fame

DNS uses UDP 53 and I don't see that port allowed in the list..

DNS also uses TCP in some cases.

ip access-list extended WAN-FACING-INCOMING

deny tcp any 7x.xx.xx.40 0.0.0.7 eq 3389

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 53

permit udp any 7x.xx.xx.40 0.0.0.7 eq 53

permit tcp any 7x.xx.xx.40 0.0.0.7 eq www

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431

permit gre any 7x.xx.xx.40 0.0.0.7

permit tcp any 7x.xx.xx.40 0.0.0.7 established

I did some research and came up with a list of other things that should be blocked to decrease vuneralabilites such as network mapping, DOS attacks and other items.

I created a list from: http://www.sans.org/reading_room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list_231

That includes to following lines:

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 15.0.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip 240.0.0.0 7.255.255.255 any

deny ip 248.0.0.0 7.255.255.255 any

deny ip 255.255.255.255 0.0.0.0 any

deny tcp any any eq 6669

deny tcp any any eq 2222

deny tcp any any eq 7000

deny tcp any any eq 16959

deny tcp any any eq 27374

deny tcp any any eq 6711

deny tcp any any eq 6712

deny tcp any any eq 6776

deny tcp any any eq 16660

deny tcp any any eq 65000

deny tcp any any eq 27665

deny udp any any eq 31335

deny udp any any eq 27444

deny tcp any any eq 33270

deny tcp any any eq 39168

deny icmp any any echo

Any thoughts?

A 'permit ip any any' should be added at the end.

There are other things you should consider while hardening the IOS device.

A comprehensive list can be found at:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Regards,

Edison

therefore, i think the combined list wuld be:

ip access-list extended WAN-FACING-INCOMING

! Prevent incoming connetions from non routable networks

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 15.0.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip 240.0.0.0 7.255.255.255 any

deny ip 248.0.0.0 7.255.255.255 any

deny ip 255.255.255.255 0.0.0.0 any

! prevent incoming from well known exploits

deny tcp any any eq 6669

deny tcp any any eq 2222

deny tcp any any eq 7000

deny tcp any any eq 16959

deny tcp any any eq 27374

deny tcp any any eq 6711

deny tcp any any eq 6712

deny tcp any any eq 6776

deny tcp any any eq 16660

deny tcp any any eq 65000

deny tcp any any eq 27665

deny udp any any eq 31335

deny udp any any eq 27444

deny tcp any any eq 33270

deny tcp any any eq 39168

deny icmp any any echo

! Prevent direct RDP and ping maps or floods

deny tcp any 7x.xx.xx.40 0.0.0.7 eq 3389

deny icmp any any echo-reply

deny icmp any any echo

! Allow DNS/OWA/PPTP Connections

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 53

permit udp any 7x.xx.xx.40 0.0.0.7 eq 53

permit tcp any 7x.xx.xx.40 0.0.0.7 eq www

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723

permit gre any 7x.xx.xx.40 0.0.0.7

! Allow business application connections from specific networks to internal ip and specific ports

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431

! Allow established tcp connentions to come back in

permit tcp any 7x.xx.xx.40 0.0.0.7 established

! Allow anyone on outside to come inside

permit ip any any

Since I have to implement this remotely I am obviously cautious that I would break my remote access which runs off of 443/80. Anyone see any other things that have been overlooked???

deny icmp any any echo-reply

deny icmp any any echo

! Allow DNS/OWA/PPTP Connections

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 53

permit udp any 7x.xx.xx.40 0.0.0.7 eq 53

permit tcp any 7x.xx.xx.40 0.0.0.7 eq www

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723

permit gre any 7x.xx.xx.40 0.0.0.7

! Allow business application connections from specific networks to internal ip and specific ports

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431

! Allow established tcp connentions to come back in

permit tcp any 7x.xx.xx.40 0.0.0.7 established

! Allow anyone on outside to come inside

permit ip any any


The last entry 'permit ip any any' will cover all the permits you've listed above.

The deny icmp any any echo is already implemented, no need to do it twice.

You don't want to disable echo-reply since you want to be able to ping from inside-to-outside.

Ok so by adding the permit ip any any I am essentially opening all incoming ports/ips that were not explicitly denied earlier in the list.

This seems insecure, what I want to do is close all incoming ports except for the ones permitted and established traffic.

I believe you are protecting what needs protection. I'm assuming your internal devices have non-routable addresses and you only NAT what's necessary and mostly use PAT, right?

If you don't add permit ip any any at the end you are going to lock yourself out.

I digress...

Maybe reflexive ACL is what you are really after?

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl

spacetrance
Level 1
Level 1

The server is nat'd 1 to 1 ie static nat so there is a security concern there

Sent from Cisco Technical Support iPhone App

Review Cisco Networking for a $25 gift card