Solved: NAT, Firewall, Security [ISR 886VA]

Exonix · ‎02-08-2019

Hello,

I've got an email from our ISP, that our router is in danger... They found that the router has SNMP port opened. After that, I scanned our router I found more opened ports: UDP 161, 123, 500 (it is OK, the router does S2S).

Could you please check my configuration.
1) It is OK to be secured from external access?
2) Why UDP ports 161 and 123 are opened?

sh run 
Building configuration... 

Current configuration : 8466 bytes 
! 
! Last configuration change at 11:16:15 UTC Tue Jan 29 2019 by admin 
! NVRAM config last updated at 11:17:21 UTC Tue Jan 29 2019 by admin 
! 
version 15.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
service password-encryption 
! 
hostname router.dyndns.org 
! 
boot-start-marker 
boot system flash:c800-universalk9-mz.SPA.154-3.M10.bin 
boot-end-marker 
! 
aqm-register-fnf 
! 
enable secret 5 00000000000000000000000 
! 
aaa new-model 
! 
aaa session-id common 
clock timezone UTC 2 0 
! 
ip flow-cache timeout active 1 
ip domain name domain.com 
ip ddns update method dyndns 
 HTTP 
  add http://user:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a> 
 interval maximum 1 0 0 0 
! 
ip cef 
no ipv6 cef 
! 
multilink bundle-name authenticated 
! 
cts logging verbose 
license udi pid C886VA-K9 sn FCZ2044B08C 
! 
username admin privilege 15 secret 5 00000000000000000000000000000 
! 
controller VDSL 0 
 firmware filename flash:VA_B_38V_d24m.bin 
! 
! 
class-map match-all Mikrotik-Dev 
 match access-group 102 
! 
policy-map Hosts 
 class Mikrotik-Dev 
! 
crypto isakmp policy 50 
 encr aes 256 
 authentication pre-share 
 group 5 
 lifetime 28800 
crypto isakmp key 00000000000 address XXX.XXX.XXX.XXX 
! 
! 
crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac 
 mode tunnel 
! 
crypto map VPN-CM 10 ipsec-isakmp 
 description VPN to CITY Office 
 set peer XXX.XXX.XXX.XXX 
 set transform-set VPN-TS 
 set pfs group5 
 match address VPN2CITY 
! 
interface ATM0 
 no ip address 
 shutdown 
 no atm ilmi-keepalive 
! 
interface ATM0.1 point-to-point 
 pvc 1/32 
  pppoe-client dial-pool-number 1 
 ! 
! 
interface BRI0 
 no ip address 
 encapsulation hdlc 
 shutdown 
 isdn termination multidrop 
! 
interface Ethernet0 
 description WAN 
 no ip address 
 ip nbar protocol-discovery ipv4 
 service-policy input Hosts 
! 
interface Ethernet0.7 
 description VDSL VLAN 7 tagged 
 encapsulation dot1Q 7 
 pppoe enable group global 
 pppoe-client dial-pool-number 1 
! 
interface FastEthernet0 
 description Trunk 
 switchport mode trunk 
 no ip address 
! 
interface FastEthernet1 
 description WAN 
 switchport access vlan 4 
 no ip address 
 shutdown 
 duplex full 
! 
interface FastEthernet2 
 description DMZ 
 switchport access vlan 3 
 no ip address 
! 
interface FastEthernet3 
 description LAN 
 no ip address 
 duplex full 
! 
interface Vlan1 
 description LAN 
 ip address 10.254.1.1 255.255.255.0 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in max-reassemblies 64 
! 
interface Vlan2 
 description Guest WiFi 
 ip address 10.254.2.1 255.255.255.0 
 ip access-group 104 in 
 ip helper-address 10.254.1.13 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in 
! 
interface Vlan401 
 description LAN 
 ip address 10.254.100.1 255.255.255.0 
 ip access-group 104 in 
 ip helper-address 10.254.1.13 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in max-reassemblies 64 
! 
interface Vlan402 
 description TEST 
 ip address 10.254.200.1 255.255.255.0 
 ip access-group 104 in 
 ip helper-address 10.254.1.13 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in max-reassemblies 64 
! 
interface Vlan403 
 description LAN 
 ip address 10.254.3.1 255.255.255.0 
 ip access-group 104 in 
 ip helper-address 10.254.1.13 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in max-reassemblies 64 
! 
interface Vlan404 
 description Guest WiFi 
 ip address 10.254.4.1 255.255.255.0 
 ip access-group 104 in 
 ip helper-address 10.254.1.13 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in max-reassemblies 64 
! 
interface Vlan405 
 description Corporate WiFi 
 ip address 10.254.5.1 255.255.255.0 
 ip access-group 104 in 
 ip helper-address 10.254.1.13 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in max-reassemblies 64 
! 
interface Vlan406 
 description DMZ 
 ip address 10.254.6.1 255.255.255.0 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip flow ingress 
 ip nat inside 
 ip virtual-reassembly in max-reassemblies 64 
! 
interface Dialer0 
 description VDSL TELEKOM 
 ip ddns update hostname router.dyndns.org 
 ip ddns update dyndns 
 ip address negotiated 
 no ip redirects 
 no ip unreachables 
 no ip proxy-arp 
 ip mtu 1492 
 ip nbar protocol-discovery ipv4 
 ip nat outside 
 ip virtual-reassembly in 
 encapsulation ppp 
 ip tcp adjust-mss 1452 
 load-interval 30 
 dialer pool 1 
 dialer-group 1 
 no keepalive 
 ppp authentication pap callin 
 ppp pap sent-username ------------------------@t-online.de password 7 ------------------------ 
 ppp ipcp dns request 
 ppp ipcp mask request 
 ppp ipcp route default 
 no cdp enable 
 crypto map VPN-CM 
! 
ip forward-protocol nd 
no ip http server 
no ip http secure-server 
! 
ip flow-export source Vlan1 
ip flow-export version 9 
ip flow-export destination 10.254.1.7 2055 
ip flow-top-talkers 
 top 10 
 sort-by bytes 
! 
ip nat translation tcp-timeout 14400 
ip nat inside source static tcp 10.254.1.56 8080 interface Dialer0 8080 
ip nat inside source static tcp 10.254.1.8 3389 interface Dialer0 3389 
ip nat inside source static udp 10.254.1.8 4500 interface Dialer0 4500 
ip nat inside source static udp 10.254.1.8 1701 interface Dialer0 1701 
ip nat inside source static tcp 10.254.2.23 8080 interface Dialer0 8081 
ip nat inside source list NAT interface Dialer0 overload 
ip route 10.254.10.0 255.255.255.0 10.254.1.4 
ip route 10.255.9.11 255.255.255.255 10.254.1.4 
ip route 172.66.0.0 255.255.255.0 10.254.1.4 
! 
ip access-list extended NAT 
 remark --- exclude S2S trafic --- 
 deny   ip 172.66.0.0 0.0.0.255 10.253.3.0 0.0.0.255 
 deny   ip 172.66.0.0 0.0.0.255 10.253.1.0 0.0.0.255 
 deny   ip 172.66.0.0 0.0.0.255 10.253.5.0 0.0.0.255 
 deny   ip 10.254.1.0 0.0.0.255 10.253.3.0 0.0.0.255 
 deny   ip 10.254.1.0 0.0.0.255 10.255.10.0 0.0.0.255 
 deny   ip 10.254.3.0 0.0.0.255 10.253.3.0 0.0.0.255 
 remark --- Office CITY2NAT --- 
 permit ip 10.254.1.0 0.0.0.255 any 
 permit ip 10.254.2.0 0.0.0.255 any 
 permit ip 10.254.3.0 0.0.0.255 any 
 permit ip 10.254.4.0 0.0.0.255 any 
 permit ip 10.254.5.0 0.0.0.255 any 
 deny   ip any any
ip access-list extended VPN2CITY 
 permit ip 10.254.1.0 0.0.0.255 10.253.3.0 0.0.0.255 
 permit ip 172.16.0.0 0.0.0.255 10.253.3.0 0.0.0.255 
 permit ip 172.16.0.0 0.0.0.255 10.253.1.0 0.0.0.255 
 permit ip 172.16.0.0 0.0.0.255 10.253.5.0 0.0.0.255 
! 
logging source-interface Vlan1 
logging host 10.254.1.7 
! 
snmp-server community ------------ RO 2 
snmp-server community ------------ RO 4
snmp-server location CITY2 
snmp-server contact HelpDesk 
access-list 2 permit 10.254.0.0 0.0.0.255
access-list 2 permit 10.254.1.0 0.0.0.255
access-list 2 deny   any
access-list 4 permit 10.254.0.0 0.0.0.255
access-list 4 permit 10.254.1.0 0.0.0.255
access-list 4 deny   any
access-list 22 permit 10.254.1.0 0.0.0.255 
access-list 102 permit tcp host YYY.YYY.YYY.YYY eq 8888 host CCC.CCC.CCC.CCC eq 8888 
access-list 102 deny   tcp any host YYY.YYY.YYY.YYY eq 8888 
access-list 102 permit ip any any 
access-list 104 permit udp host 10.254.1.13 eq bootps 10.254.2.0 0.0.0.255 eq bootps 
access-list 104 permit udp host 10.254.1.13 eq bootpc 10.254.2.0 0.0.0.255 eq bootpc 
access-list 104 permit udp host 10.254.1.13 eq bootps 10.254.4.0 0.0.0.255 eq bootps 
access-list 104 permit udp host 10.254.1.13 eq bootpc 10.254.4.0 0.0.0.255 eq bootpc 
access-list 104 permit udp host 10.254.1.13 eq bootps 10.254.5.0 0.0.0.255 eq bootps 
access-list 104 permit udp host 10.254.1.13 eq bootpc 10.254.5.0 0.0.0.255 eq bootpc 
access-list 104 deny   ip 10.254.4.0 0.0.0.255 10.254.1.0 0.0.0.255 
access-list 104 deny   ip 10.254.4.0 0.0.0.255 172.66.0.0 0.0.0.255 
access-list 104 deny   ip 10.254.2.0 0.0.0.255 10.254.1.0 0.0.0.255 
access-list 104 deny   ip 10.254.2.0 0.0.0.255 172.66.0.0 0.0.0.255 
access-list 104 permit ip any any 
! 
control-plane 
! 
mgcp behavior rsip-range tgcp-only 
mgcp behavior comedia-role none 
mgcp behavior comedia-check-media-src disable 
mgcp behavior comedia-sdp-force disable 
! 
mgcp profile default 
! 
 vstack 
! 
line con 0 
 password 7 00000000000000000000 
 no modem enable 
line aux 0 
line vty 0 4 
 access-class 22 in 
 exec-timeout 30 0 
 password 7 00000000000000000000 
 logging synchronous 
 transport input ssh 
line vty 5 189 
 exec-timeout 30 0 
 password 7 00000000000000000000 
 logging synchronous 
 transport input ssh 
! 
scheduler allocate 20000 1000 
ntp server 10.254.1.9 
!
end

Thank you in advance!

Jaderson Pessoa · ‎02-11-2019

Thats ok.

ip access-list extended SNMP_LAN
permit udp 10.254.0.0 0.0.0.255 x.x.x.x(IP OF YOUR SNMP SERVER) 0.0.0.0 eq snmp
permit udp x.x.x.x(IP OF YOUR SNMP SERVER) eq snmp 10.254.0.0 0.0.0.255
deny udp any eq snmp any
pertmit ip any any

try apply it on wans interfaces.

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Jaderson Pessoa · ‎02-08-2019

Guy your configurations it is ok and ports 123 has been opened because you are setting a NTP server and 161 because you are using SNMP.

But its recommended that use SNMPv3 > more security. If its not possible, you can use acl's to maximize security.
About your NTP, if this ports werent open to world (INTERNET) you dont have problem.

your configuration : ntp server 10.254.1.9 < its internal address > (i think.)

Jaderson Pessoa
*** Rate All Helpful Responses ***

Exonix · ‎02-08-2019

Hello Jaderson,
thank you for your answer.

yes, I use SNMP. But I limited SNMP with ACLs 2 and 4 for internal IPs only, didn't I? By the way, my scanner didn't use any community names, it just connected to 161 port.

snmp-server community --------- RO 2
snmp-server community --------- RO 4
snmp-server location City
snmp-server contact HelpDesk
access-list 2 permit 10.254.0.0 0.0.0.255
access-list 2 permit 10.254.1.0 0.0.0.255
access-list 2 deny   any
access-list 4 permit 10.254.0.0 0.0.0.255
access-list 4 permit 10.254.1.0 0.0.0.255
access-list 4 deny   any

snmp-server community wewdwsd RO ?
<1-99>       Std IP accesslist allowing access with this community string

I configured Cisco to use NTP server 10.254.1.9. Yes, this is an internal server, but why I can see this port on the external interface?

Could you please advice me an ACL to close undesired ports? Thank you!

Jaderson Pessoa · ‎02-08-2019

yes, I use SNMP. But I limited SNMP with ACLs 2 and 4 for internal IPs only, didn't I? By the way, my scanner didn't use any community names, it just connected to 161 port.
R: Yes, you did it. :)

I configured Cisco to use NTP server 10.254.1.9. Yes, this is an internal server, but why I can see this port on the external interface?

R: If your router has a public ip address on any interface, it will be accessible from it.

Could you please advice me an ACL to close undesired ports? Thank you!

Check if address its ok.

ip access-list extended SNMP_LAN
permit udp 10.254.0.0 0.0.0.255 x.x.x.x(IP OF YOUR SNMP SERVER) 0.0.0.0 eq snmp
permit udp x.x.x.x(IP OF YOUR SNMP SERVER) eq snmp 10.254.0.0 0.0.0.255

vlan access-map MAP-SNMP
match ip address SNMP_LAN
action forward
vlan filter SNMP_LAN vlan-list 1,2,3,4,5-6 (YOUR VLANS)

its for SNMP, but you can use it for block other thing that you need, like ntp, ftp, tftp.. or something like that.

More information about:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_vlanacls.pdf

Jaderson Pessoa
*** Rate All Helpful Responses ***

Exonix · ‎02-11-2019

I'm sorry Jaderson, but ISR 886VA doesn't have such commands like vlan access-map:

#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
(config)#ip access-list extended SNMP_LAN
(config-ext-nacl)#$ 0.0.0.255 10.254.1.7 0.0.0.0 eq snmp
(config-ext-nacl)#$ 0.0.0.0 eq snmp 10.254.1.0 0.0.0.255
(config-ext-nacl)#exit
(config)#
(config)#
(config)#vlan access-map MAP_SNMP
                                             ^
% Invalid input detected at '^' marker.

(config)#vlan access-map ?
  <cr>

(config)#vlan acce?
WORD

(config)#vlan acce
(config)#vlan ?
  WORD        ISL VLAN IDs 1-4094
  accounting  VLAN accounting configuration
  dot1q       dot1q parameters
  group       Create a vlan group
  ifdescr     VLAN subinterface ifDescr

#sh version
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(3)M10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Wed 08-Aug-18 06:30 by prod_rel_team

ROM: System Bootstrap, Version 15.4(1r)T1, RELEASE SOFTWARE (fc1)

Jaderson Pessoa · ‎02-11-2019

Thats ok.

ip access-list extended SNMP_LAN
permit udp 10.254.0.0 0.0.0.255 x.x.x.x(IP OF YOUR SNMP SERVER) 0.0.0.0 eq snmp
permit udp x.x.x.x(IP OF YOUR SNMP SERVER) eq snmp 10.254.0.0 0.0.0.255
deny udp any eq snmp any
pertmit ip any any

try apply it on wans interfaces.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Exonix · ‎02-12-2019

Thank you Jaderson!

I applied this rule:

ip access-list extended FireWall
 deny   udp any any eq snmp
 deny   udp any any eq ntp
 permit ip any any

it works:

PORT    STATE         SERVICE VERSION 
123/tcp closed        ntp 
161/tcp closed        snmp 
123/udp open|filtered ntp 
161/udp open|filtered snmp

I have only one question: how it works? I allow all traffic with rule "permit ip any any" but at the same time the router is secured... Is it because of NAT?

Jaderson Pessoa · ‎02-12-2019

Dear Exonix,
permit udp 10.254.0.0 0.0.0.255 x.x.x.x(IP OF YOUR SNMP SERVER) 0.0.0.0 eq snmp >> will allow snmp from your snmp-server to your lan. .
permit udp x.x.x.x(IP OF YOUR SNMP SERVER) eq snmp 10.254.0.0 0.0.0.255 >> will alow snmp from your lan to your snmp-server
deny udp any eq snmp any >> will block any other snmp traffic.
pertmit ip any any >> allow any other traffic.

Acls are read in order thats was applied. So, before alllow other traffic, snmp will blocked.

Nat's configuration on your router its just translate your internal ip for one or pool of public ip address.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Exonix · ‎02-12-2019

Hello Jaderson,

My question isn't about the SNMP now.

My question is - I allow all traffic on WAN interface: permit ip any any - is it secure? Why?

Jaderson Pessoa · ‎02-12-2019

Your wan interface needs access internet right? Baseline in acl works like it:
If you dont allow any traffic its will be block for default.
Só if you remove this command from your acl .> pertmit ip any any
Any devices in your network wont have internet access or other thing that you need access on this interface.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Exonix · ‎02-12-2019

would be it better to allow established TCP only and all UDP?

Jaderson Pessoa · ‎02-12-2019

would a way, but if you want controll traffic on your network by acl, will be demand a lot of time and you router will increscent cpu usage. But, you can do it without problem.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jaderson Pessoa · ‎02-12-2019

Please, if possible, rate this as helpful too..

Thanks in advance.

Jaderson Pessoa
*** Rate All Helpful Responses ***