Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
0
Helpful
3
Replies

CISCO ASR1001-X Isolate PPPOE Clients from scanning IPs and finding themselves on the newtork

x-websolucoes
Level 1
Level 1

‎01-30-2017 08:59 AM - edited ‎03-05-2019 07:56 AM

Hiya

I am currently providing assistance serviçes on a small ISP provider in my region.

They currently have clients connected via pppoe

so they are testing the cisco router on pppoe ATM and they have found some concerning issues.

they have setup a virtual network for pppoe, and teste 3 clients connected on the PPPOE connected, with IP scanning tools on the client side, they can scan the entire network and see all other IPs connected.

thats a security issue concern, how can i block this  from happening in the Radius config?

is there a solution?

i have tried creating a access list , with ip range and deny option  but its not blocking the specific ip network , instead it blocks all network ips

i have also tried closing access to SSH port cause its open and visible to all networks range inside the cisco router, i would like to make this port

open only in the Management internet IP LAN area, how can i do it also?

I have tried the following

access-list 101 permit udp any any
access-list 101 deny icmp any any

with the network ips, it either blocks the entire networks all at the same time, or completelly opens access on all the other newtorks....

any help is appreciated 

thanks

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-30-2017 03:44 PM

I don't think a service provider should be blocking this.  But something like this should probably do it:

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
access-list 101 permit ip any any
0 Helpful

x-websolucoes
Level 1
Level 1
In response to Philip D'Ath

‎01-30-2017 05:42 PM

Hi Philip

thanks for your reply 

actually i have explained it wrong.

I have a PPPOE server using freeradius, that pppoe server sends the information to the cisco device. to a specific network.

My problem is the following:

I have the pppoe IP address list configured in freeradius, everything works fine clients PPPOE connect ok, but i can ping on each other IP on the same IP list from the PPPOE, which is not the main problem.

My main problem is that i want to disable the ssh port enabled. i can ssh from one client ip to another.

Somehow the radius connection allows SSH passthrough.,  to disable port 22ssh on a specific interface in the cisco router i have tested it and it works great i can block it on the access list

i can even configure just one specific IP to connect via ssh to other ips on the same network.

but whilst inside the PPPOE freeradius ip list, if i set the parameters in the acess list, it blocks all ports on all ips inside the pppoe ip list range.

if i disable the access list i can connect via ssh on all the devices.

My idea is the following, setup a physical network port or virtual network on the CISCO router,

as management IP network only accessible internal, and allow this network IP block to connect

to all the devices connected on the freeradius pppoe server via ssh.

and block all the pppoe clientes connected inside the same IP range from seeing each other , and blocking the network connection between them.

example

PPPOE freeradius connected IP range 172.25.0.0/24

Management interface IP range 174.25.0.0/24 

create freeradius access list to allow ssh port from all devices in 172.25.0.0/24 only from inbound IP range 174.25.0.0/24

and create freeradius access list to block any ip host outside the 174.25.0.0/24 IP range from

connecting via ssh. 

at the same time i would like to bridge the PPPOE clients connection so they could not scan each other with IP app  software scanners to avoid them from finding the pppoeclient neighbours IPs.

Not shure i am making sense of what i am actually talking, but so far neither on the freeradius community or in the cisco community i have found something similar.

Anyways i appreciate your comment and help. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to x-websolucoes

‎01-31-2017 12:51 AM

Hello,

what does your FreeRadius config look like ?

On your Cisco, you should have this:

aaa authorization network default radius

ip access-list extended 101
 deny tcp any any eq 22
 permit ip any any

ip access-list extended 102
 deny tcp any any eq 22
 permit ip any any

And the FreeRadius should refer to the access lists:

foo Auth-Type := System
Framed-Filter-Id += "101.in"
Framed-Filter-Id += "102.out"
Fall-Through = Yes

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card