Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
5
Helpful
9
Replies

ACL question

Go to solution
supercell2929
Level 1
Level 1

‎11-10-2015 02:06 PM - edited ‎03-05-2019 02:43 AM

Hello,

   I have a question which pertains directly to access lists. I have a 3925 edge router and would like to block an external DDoS attack (attacking via port 123 [ntp]) to a specific server within our environment. All ntp attempts (dozens of attempts/second) to this particular server have been blocked on our ASA, however, to take a load off of our ASA, I would like to block it one hop closer to the source.

I added the following to our edge router:

r-gw(config-ext-nacl)#45 deny udp 10.12.135.20 255.255.255.255 any eq 123
BUT SHOWS AS THIS: 
45 deny udp any any eq ntp (776970 matches)
Nowhere within the ACL just above do I see the specified host I added initially (i.e. 45 deny udp 10.12.135.20 255.255.255.255 any eq 123). This looks as though it is blocking all ntp ib traffic.
Please show me the correct way to do this.
Thank you,
SuperCell
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to supercell2929

‎11-10-2015 08:26 PM

Hello,

Did you publish your server by NAT on 3925?  10.12.135.20 is the private address of NTP server? If so, you need to block traffic by its public address because inbound ACL applies before NAT. Your ACL should be like this

45 deny udp any host [public ip of NTP server] eq ntp

As john mentioned, ACL 45 needs to be applied inbound on the public interface of the 3945 .

Remember to allow other traffic.

Masoud

View solution in original post

9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-10-2015 02:11 PM

Either -

"deny udp host 10.12.135.20 any eq 123"

or

"deny udp 10.12.135.20 0.0.0.0 any eq 123"

the host version is the more common.

You were trying to use a subnet mask whereas acls use wildcards.

Jon

0 Helpful

Go to solution
supercell2929
Level 1
Level 1
In response to Jon Marshall

‎11-10-2015 03:35 PM

The two you suggested did not work:


45 deny udp host 10.12.135.20 any eq ntp (NOTHING BLOCKED FROM OUTSIDE)

47 deny udp 10.12.135.20 0.0.0.0 any eq 123 (NOTHING BLOCKED FROM OUTSIDE)

I see the thousands of requests hitting our ASA (blocked there) after trying both of these.

Again, the one I tried worked (below):

45 deny udp 10.12.135.20 255.255.255.255 any eq 123

...but shows up like this (below) which I believe blocks all ntp ingress traffic)

45 deny udp any any eq ntp (776970 matches)

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to supercell2929

‎11-10-2015 03:39 PM

Your acl only matches because you entered it incorrectly so it translated it as any any.

Is the server 10.12.135.20 ?

If so it should be -

deny udp any 10.12.135.20 eq 123

and applied inbound on the interface of the router facing the internet.

Jon

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to supercell2929

‎11-10-2015 08:26 PM

Hello,

Did you publish your server by NAT on 3925?  10.12.135.20 is the private address of NTP server? If so, you need to block traffic by its public address because inbound ACL applies before NAT. Your ACL should be like this

45 deny udp any host [public ip of NTP server] eq ntp

As john mentioned, ACL 45 needs to be applied inbound on the public interface of the 3945 .

Remember to allow other traffic.

Masoud

Go to solution
supercell2929
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-11-2015 07:41 AM

This was it. For some reason I was so focused on the internal ip that I forgot completely about the public ip it was natted to.

Thank you Masoud!

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to supercell2929

‎11-11-2015 07:43 AM

Glad it worked.

Masoud

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Masoud Pourshabanian

‎11-11-2015 11:21 AM

Masoud

Good spot, deserves a rating.

I was assuming that IP was being used to avoid having to post the real IP but I should have checked !

Jon

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎11-11-2015 02:00 PM

Thanks Jon

You are a valuable member for this community.

Masoud

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to supercell2929

‎11-10-2015 10:35 PM 

The two you suggested did not work:45 deny udp host 10.12.135.20 any eq ntp (NOTHING BLOCKED FROM OUTSIDE)47 deny udp 10.12.135.20 0.0.0.0 any eq 123 (NOTHING BLOCKED FROM OUTSIDE)I see the thousands of requests hitting our ASA (blocked there) after trying both of these.Again, the one I tried worked (below):45 deny udp 10.12.135.20 255.255.255.255 any eq 123...but shows up like this (below) which I believe blocks all ntp ingress traffic)45 deny udp any any eq ntp (776970 matches)

Hello,

You need to consider both the pointer which are highlighted By Jon and Masoud, As this traffiic is coming from internet it is always to apply in in bound direction of your router the ACL.

deny udp any host 10.12.135.20 eq 123

and also this server would be natted in internter for time sync. so you may required to change the server private address to public one.

Hope it Helps..

-GI

Rate if it Helps..

0 Helpful
Customers Also Viewed These Support Documents