Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1533
Views
0
Helpful
9
Replies

Access List Basics - Help!

spacetrance
Level 1
Level 1

‎03-27-2012 12:11 PM - edited ‎03-04-2019 03:49 PM

I am having issues locking down a network. I have a SR520 internet facing router.

Requirments:

Network has internal Exchange server with OWA running / DC and internal DNS / RRAS for VPN.

They also are using PPTP services on Windows Server.

They have business line app that runs over ports 15430 and 15431 via a VPN connection.

Need to deny ouside traffic coming into network except for internal intiatied traffic and above items.

I enabled below access list but had to disable it. After enabling below I couldn't resolve dns queries.

List is being applied to WAN interface filtering incoming traffic.

ip access-list extended WAN-FACING-INCOMING

deny tcp any 7x.xx.xx.40 0.0.0.7 eq 3389

permit tcp any 7x.xx.xx.40 0.0.0.7 eq www

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431

permit gre any 7x.xx.xx.40 0.0.0.7

permit tcp any 7x.xx.xx.40 0.0.0.7 established

Any suggestions on other ports/ips to open up or access-list order.

Labels:
0 Helpful
9 Replies 9

Edison Ortiz
Hall of Fame
Hall of Fame

‎03-27-2012 02:11 PM

DNS uses UDP 53 and I don't see that port allowed in the list..

0 Helpful

Bradford Chatterjee
Level 1
Level 1
In response to Edison Ortiz

‎03-27-2012 02:36 PM

DNS also uses TCP in some cases.

0 Helpful

spacetrance
Level 1
Level 1
In response to Bradford Chatterjee

‎03-28-2012 07:01 AM

ip access-list extended WAN-FACING-INCOMING

deny tcp any 7x.xx.xx.40 0.0.0.7 eq 3389

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 53

permit udp any 7x.xx.xx.40 0.0.0.7 eq 53

permit tcp any 7x.xx.xx.40 0.0.0.7 eq www

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431

permit gre any 7x.xx.xx.40 0.0.0.7

permit tcp any 7x.xx.xx.40 0.0.0.7 established

I did some research and came up with a list of other things that should be blocked to decrease vuneralabilites such as network mapping, DOS attacks and other items.

I created a list from: http://www.sans.org/reading_room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list_231

That includes to following lines:

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 15.0.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip 240.0.0.0 7.255.255.255 any

deny ip 248.0.0.0 7.255.255.255 any

deny ip 255.255.255.255 0.0.0.0 any

deny tcp any any eq 6669

deny tcp any any eq 2222

deny tcp any any eq 7000

deny tcp any any eq 16959

deny tcp any any eq 27374

deny tcp any any eq 6711

deny tcp any any eq 6712

deny tcp any any eq 6776

deny tcp any any eq 16660

deny tcp any any eq 65000

deny tcp any any eq 27665

deny udp any any eq 31335

deny udp any any eq 27444

deny tcp any any eq 33270

deny tcp any any eq 39168

deny icmp any any echo

Any thoughts?

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to spacetrance

‎03-28-2012 07:34 AM

A 'permit ip any any' should be added at the end.

There are other things you should consider while hardening the IOS device.

A comprehensive list can be found at:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Regards,

Edison

0 Helpful

spacetrance
Level 1
Level 1
In response to Edison Ortiz

‎03-28-2012 08:09 AM

therefore, i think the combined list wuld be:

ip access-list extended WAN-FACING-INCOMING

! Prevent incoming connetions from non routable networks

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 15.0.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip 240.0.0.0 7.255.255.255 any

deny ip 248.0.0.0 7.255.255.255 any

deny ip 255.255.255.255 0.0.0.0 any

! prevent incoming from well known exploits

deny tcp any any eq 6669

deny tcp any any eq 2222

deny tcp any any eq 7000

deny tcp any any eq 16959

deny tcp any any eq 27374

deny tcp any any eq 6711

deny tcp any any eq 6712

deny tcp any any eq 6776

deny tcp any any eq 16660

deny tcp any any eq 65000

deny tcp any any eq 27665

deny udp any any eq 31335

deny udp any any eq 27444

deny tcp any any eq 33270

deny tcp any any eq 39168

deny icmp any any echo

! Prevent direct RDP and ping maps or floods

deny tcp any 7x.xx.xx.40 0.0.0.7 eq 3389

deny icmp any any echo-reply

deny icmp any any echo

! Allow DNS/OWA/PPTP Connections

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 53

permit udp any 7x.xx.xx.40 0.0.0.7 eq 53

permit tcp any 7x.xx.xx.40 0.0.0.7 eq www

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443

permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723

permit gre any 7x.xx.xx.40 0.0.0.7

! Allow business application connections from specific networks to internal ip and specific ports

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430

permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431

! Allow established tcp connentions to come back in

permit tcp any 7x.xx.xx.40 0.0.0.7 established

! Allow anyone on outside to come inside

permit ip any any

Since I have to implement this remotely I am obviously cautious that I would break my remote access which runs off of 443/80. Anyone see any other things that have been overlooked???

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to spacetrance

‎03-28-2012 08:36 AM 

 deny icmp any any echo-reply
 deny icmp any any echo
! Allow DNS/OWA/PPTP Connections
 permit tcp any 7x.xx.xx.40 0.0.0.7 eq 53
 permit udp any 7x.xx.xx.40 0.0.0.7 eq 53
 permit tcp any 7x.xx.xx.40 0.0.0.7 eq www
 permit tcp any 7x.xx.xx.40 0.0.0.7 eq 443
 permit tcp any 7x.xx.xx.40 0.0.0.7 eq 1723
 permit gre any 7x.xx.xx.40 0.0.0.7
! Allow business application connections from specific networks to internal ip and specific ports
 permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15430
 permit tcp host 9x.xx.xx.4 host 192.168.2.251 eq 15431
! Allow established tcp connentions to come back in
 permit tcp any 7x.xx.xx.40 0.0.0.7 established
! Allow anyone on outside to come inside
 permit ip any any

The last entry 'permit ip any any' will cover all the permits you've listed above.

The deny icmp any any echo is already implemented, no need to do it twice.

You don't want to disable echo-reply since you want to be able to ping from inside-to-outside.

0 Helpful

spacetrance
Level 1
Level 1
In response to spacetrance

‎03-28-2012 09:45 AM

Ok so by adding the permit ip any any I am essentially opening all incoming ports/ips that were not explicitly denied earlier in the list.

This seems insecure, what I want to do is close all incoming ports except for the ones permitted and established traffic.

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to spacetrance

‎03-28-2012 12:39 PM

I believe you are protecting what needs protection. I'm assuming your internal devices have non-routable addresses and you only NAT what's necessary and mostly use PAT, right?

If you don't add permit ip any any at the end you are going to lock yourself out.

I digress...

Maybe reflexive ACL is what you are really after?

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl

0 Helpful

spacetrance
Level 1
Level 1

‎03-29-2012 03:36 PM

The server is nat'd 1 to 1 ie static nat so there is a security concern there

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card