08-30-2010 01:25 PM - edited 03-04-2019 09:36 AM
I am trying to figure out how to block external inbound DNS queries on our 857 router. After doing a security scan for PCI compliance we keep getting a notice that UDP and TCP ports 53 are open from an external port scan. I have not found anything in my config that shows port 53 being open. I only need it to be blocked from the external interface but still need DNS to work properly from my inside network. Below is my current config:
Current configuration : 9907 bytes
!
! Last configuration change at 16:05:39 Chicago Fri Aug 27 2010
! NVRAM config last updated at 16:06:04 Chicago Fri Aug 27 2010
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 xxxxxxxxx
enable password 7 xxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxxxx
certificate self-signed 02
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
dot11 syslog
!
dot11 ssid xxxxxxxxxxx
authentication open
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.49
!
ip dhcp pool XXX
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 192.168.100.1
!
!
ip cef
no ip bootp server
no ip domain lookup
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
password encryption aes
!
!
username xxxxxx view root secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxx address 111.111.111.111 no-xauth
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto ipsec profile XYZ
set transform-set SDM_TRANSFORMSET_1
!
!
crypto map ABCD 1 ipsec-isakmp
set peer 111.111.111.111
set security-association lifetime seconds 28800
set transform-set SDM_TRANSFORMSET_1
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxxxxxxxx transmit-key
encryption mode xxxxxx xxxxxxxxxx
ssid xxxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 222.222.222.222 255.255.255.0
ip access-group DNS in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx@bellsouth.net
ppp chap password 7 091847311F513D1C3D
ppp pap sent-username xxxxxxxx@bellsouth.net password 7 xxxxxxxxxxxxx
crypto map ABCD
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
router rip
version 2
network 192.168.100.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http access-class 2
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit xxx.xxx.xxx.xxx 0.0.0.255
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit xxx.xxx.xxx.xxx 0.0.7.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit xxx.xxx.xxx.xxx 0.0.7.255
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 2 permit xxx.xxx.xxx.xxx 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip 192.168.100.0 0.0.0.255 xxx.xxx.xxx.xxx 0.255.255.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.100.0 0.0.0.255 xxx.xxx.xxx.xxx 0.255.255.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.7.255 host 192.168.100.1 eq 22
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq 22
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host 192.168.100.1 eq 22
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host 192.168.100.1 eq 443
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq 443
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.7.255 host 192.168.100.1 eq 443
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.7.255 host 192.168.100.1 eq cmd
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq cmd
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host 192.168.100.1 eq cmd
access-list 103 deny tcp any host 192.168.100.1 eq telnet
access-list 103 deny tcp any host 192.168.100.1 eq 22
access-list 103 deny tcp any host 192.168.100.1 eq www
access-list 103 deny tcp any host 192.168.100.1 eq 443
access-list 103 deny tcp any host 192.168.100.1 eq cmd
access-list 103 deny udp any host 192.168.100.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip xxx.xxx.xxx.xxx 0.0.7.255 any
access-list 104 permit ip 192.168.100.0 0.0.0.255 any
access-list 104 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 105 remark SDM_ACL Category=128
access-list 105 permit ip host 255.255.255.255 any
access-list 105 permit ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host xxx.xxx.xxx.xxx any
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip xxx.xxx.xxx.xxx 0.255.255.255 192.168.100.0 0.0.0.255
access-list 108 remark SDM_ACL Category=128
access-list 108 permit ip host 255.255.255.255 any
access-list 108 permit ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 109 remark SDM_ACL Category=128
access-list 109 permit ip host xxx.xxx.xxx.xxx any
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip xxx.xxx.xxx.xxx 0.255.255.255 192.168.100.0 0.0.0.255
access-list 111 remark SDM_ACL Category=128
access-list 111 permit ip host 255.255.255.255 any
access-list 111 permit ip 127.0.0.0 0.255.255.255 any
access-list 111 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 112 remark SDM_ACL Category=128
access-list 112 permit ip host xxx.xxx.xxx.xxx any
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip xxx.xxx.xxx.xxx 0.255.255.255 192.168.100.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CIf you have accessed this system unauthorized you MUST disconnect NOW.^C
!
line con 0
login authentication local_authen
no modem enable
line aux 0
login authentication local_authen
line vty 0 4
access-class 104 in
password 7 xxxxxxxxxxxx
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 192.43.244.18
end
Thanks for any help!
Solved! Go to Solution.
08-31-2010 08:15 AM
Hello,
I am sorry, I did not notice the VPN part. If it is site-to-site VPN, you
can add another line in there:
ip access-list extended DNS
permit esp any any
permit udp any eq 500 any
permit udp any eq 4500 any
permit udp any eq 53 any
permit tcp any eq 53 any
permit tcp any any established
permit tcp any any ack
permit tcp any any psh
permit icmp any any echo-reply
deny ip any any
Hope this helps.
Regards,
NT
08-30-2010 05:39 PM
Hello,
I see that you have configured an access-group on the dialer interface but I
did not see any specific access-list entries. Please try the following:
ip access-list extended DNS
permit udp any eq 53 any
permit tcp any eq 53 any
permit tcp any any established
permit tcp any any ack
permit tcp any any psh
permit icmp any any echo-reply
deny ip any any
The first two lines will allow DNS replies from external servers to your
network. The next 3 lines will allow return TCP traffic into your network.
The last one (before the explicit deny) will allow any icmp traffic (ping
replies) back to the network. If you want to add any other rules, you can
add it before the explicit deny.
Hope this helps.
Regards,
NT
08-31-2010 08:00 AM
Thanks for the reply. After adding the commands you provided into the router it broke the connection across the VPN tunnel. Luckily this router is only about 2 miles from our office and I was able to drive over and remove the ACL to restore the connections across the VPN tunnel. Unfortunately I don't have a clue what I'm doing when it comes to ACL's.
Thanks for your help
08-31-2010 08:15 AM
Hello,
I am sorry, I did not notice the VPN part. If it is site-to-site VPN, you
can add another line in there:
ip access-list extended DNS
permit esp any any
permit udp any eq 500 any
permit udp any eq 4500 any
permit udp any eq 53 any
permit tcp any eq 53 any
permit tcp any any established
permit tcp any any ack
permit tcp any any psh
permit icmp any any echo-reply
deny ip any any
Hope this helps.
Regards,
NT
08-31-2010 12:52 PM
I'm using ip inspect rules instead of these 4 rules in acl as suggested list at my home (851w model)
permit tcp any any established
permit tcp any any ack
permit tcp any any psh
permit icmp any any echo-reply
There shouldn't be much difference in overall functionality or is there?
08-31-2010 01:44 PM
Hello,
You can certainly use the inspects. Functionally they are better than the
access-lists.
Regards,
NT
08-31-2010 01:52 PM
Thanks NT! Your additions to the ACL helped us pass our PCI security scan. Many thanks!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide