06-24-2005 05:58 AM - edited 03-03-2019 09:53 AM
I have 3 circuits coming in to 3 WICs. These 3 circuits are in a multilink ppp group assigned to an mlppp interface. I have an inbound acl on the 3 individual serial interfaces as well as the mlppp interface. The problem is that the acl does not seem to be functioning - some nmap probes are getting past the acl. Should the acl be applied to all the interfaces or just the multilink or just the serials? This is driving me nuts. Any help would be appreciated.
Thanks...
06-24-2005 06:04 AM
I am assuming that you have configured an IP address on the multilink interface and no IP addresses on the individual serial interfaces. In which case it is logical that you need the ACL on the multilink interface and not on the serial interfaces.
If some packets are not being caught by the ACL (and if the ACL is properly applied to the correct interface) then you probably should look into the logical construction of the ACL and see where it misses something.
Are you sure that the nmap probes are arriving on the serial/multilink interface?
HTH
Rick
06-24-2005 06:17 AM
Correct - the ml interface is addressed but not the individual serials. When I do a tracert it does hit the ml ip address as last hop.
The ACL looks OK to me. Here is the relevant part:
remark filter special addr (RFC 3330)
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
remark filter private addr space (RFC 1918)
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark filter public range as source
deny ip xx.152.112.0 255.255.240.0 any
remark permit ping to serial int
permit icmp any host xx.172.74.14 echo
permit icmp any host xx.81.185.154 echo
remark allow bgp routes
permit tcp host xx.172.74.13 eq bgp host xx.172.74.14
permit tcp host xx.81.185.153 eq bgp host xx.81.185.154
remark filter all ip traffic to interfaces
deny ip any host xx.172.74.14 log
deny ip any host xx.81.185.154 log
deny ip any host xx.130.200.1 log
deny ip any host xx.130.200.3 log
deny ip any host xx.130.200.4 log
deny ip any host xx.152.112.4 log
deny ip any host xx.152.112.5 log
deny ip any host xx.152.112.6 log
remark filter problem services
deny tcp any any eq 1434 log
deny udp any any eq 1434 log
deny tcp any any eq irc log
deny udp any any eq 194 log
deny tcp any any eq 1214 log
deny udp any any eq 1214 log
deny tcp any any eq 369 log
deny udp any any eq 369 log
deny tcp any any eq 530 log
deny udp any any eq 530 log
deny tcp any any range 137 139 log
deny udp any any range netbios-ns netbios-ss log
deny tcp any any eq 445 log
deny udp any any eq 445 log
remark allow anything not already denied
permit ip any any
the part that seems to be hosed is the section "filter all ip traffic to interfaces"
Thanks
06-24-2005 06:34 AM
I have looked through the ACL and do not see any particular problems. Knowing whether it is really doing the right things requires knowledge of the particular situation which only you have. In particular I did look at the section filter all ip traffic to interfaces. It lists 8 specific hosts to which all traffic will be denied. In what way do you feel that this might be hosed up?
Your original question mentioned some concern that nmap probes were getting through. There is not anything particular in this ACL to deal with nmap probes and indeed an ACL is not a very efffective way to deal with nmap probes. Is there anything else to believe that that the ACL is not accomplishing what it should?
HTH
Rick
06-24-2005 07:59 AM
The 8 specific hosts are the ethernet interfaces of the router, none of which should be reachable from the internet. Somehow the udp and tcp scans are getting past that portion of the ACL.
Basically I am trying to minimize my exposure on the internet to the bare minimum needed for operation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide