Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1183
Views
15
Helpful
3
Replies

PPPOE and ACL

b2kzone-beniamin
Level 1
Level 1

‎11-05-2020 09:59 PM

hy,

 

I have a intranet that is base on a 1x router 2611xm, 1x switch 2950, the net is ok, it's working but my problem half security, 1/2 pppoe conection and 1/2 inter-vlan routing

 

I will paste the config from router here to talk direct on.

 

Building configuration...

Current configuration : 5608 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1-ALFA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 10
enable secret 5 *********************
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
no ip bootp server
login block-for 180 attempts 3 within 180
!
multilink bundle-name authenticated
!
!
username *************** password 7 ****************
archive
log config
hidekeys
!
!
!
!
ip ssh port ****** rotary ****
!
!
!
interface FastEthernet0/0
description The interface that talk with ISP
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 12
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description The interface that let you to play inside
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1.19
description The vlan from devices like printes (static)
encapsulation dot1Q 19
ip address 172.31.245.145 255.255.255.240
no cdp enable
!
interface FastEthernet0/1.29
description The vlan for something I don't know
encapsulation dot1Q 29
ip address 172.16.0.1 255.255.255.240
no cdp enable
!
interface FastEthernet0/1.55
description The vlan for play on net
encapsulation dot1Q 55
ip address 172.16.30.161 255.255.255.240
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Dialer12
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 12
dialer idle-timeout 0
dialer persistent
dialer-group 12
no cdp enable
ppp authentication pap callin
ppp pap sent-username *********** password 7 **********
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
!
!
no ip http server
ip http secure-server
ip dns server
ip nat inside source list 15 interface Dialer12 overload
!

!

!

!
ip access-list extended fohSSH
deny tcp any any eq 22
permit tcp any any eq *****
!
access-list 15 permit 172.16.30.160 0.0.0.15
dialer-list 12 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
!
banner motd ^CIf you're not the Admin get out!!^C
!
line con 0
exec-timeout 180 0
login authentication local_auth
line aux 0
login authentication local_auth
line vty 0 4
access-class fohSSH in
rotary ****
transport input ssh
line vty 5 9
access-class fohSSH in
rotary 12
transport input ssh
line vty 10
access-class fohSSH in
login authentication local_auth
rotary 12
transport input ssh
line vty 11 15
access-class fohSSH in
rotary 12
transport input ssh
!
!
end

 

 

 

So this is the config of the router, Now I want to add a layer of security (I don't have firewall, so I use what i have a router :)) ) now I want to add few acl rules.

 

The goal is:

--> to don't let outside(the external internet) to can scan, access, sent packets on the ports like 23,22,161, etc

--> private ips from outside to enter in router

--> to block ports from inside to outside

--> to block all other ports

--> where to set future acl on a dialer, subinterfaces or on interfaces directly (first I tried on the dialer after that I was unanable to access the internet)

 

 

If you have others ideas I can't wait to hear...

 

I made some rules hope are ok, I will paste down

 

ip access-list extended NotAllowIpsToBeUseed
remark those ip are use to Block Spoof/Malicious packets
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any

!

!

!
ip access-list extended NotAllowToInside
remark this ACL don't allow to access well know ports to attack the internal network
deny tcp any any eq echo
deny tcp any any eq discard
deny tcp any any eq daytime
deny tcp any any eq chargen
deny tcp any any eq telnet
deny tcp any any eq finger
deny tcp any any eq 3389
deny tcp any any eq 161
deny tcp any any eq www
deny tcp any any eq 37
deny tcp any any eq 69
deny tcp any any eq ftp-data
deny tcp any any eq ftp
permit tcp any 172.16.30.160 0.0.0.15 eq 443

 

 

Thanks,

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎11-05-2020 11:04 PM

Hello,

 

basically, you can consolidate everything into one access list and apply that outbound to the dialer interface. The important part is the last line, which should allow Internet access:

 

ip access-list extended PROTECT_ACL
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny tcp any any eq echo
deny tcp any any eq discard
deny tcp any any eq daytime
deny tcp any any eq chargen
deny tcp any any eq telnet
deny tcp any any eq finger
deny tcp any any eq 3389
deny tcp any any eq 161
deny tcp any any eq www
deny tcp any any eq 37
deny tcp any any eq 69
deny tcp any any eq ftp-data
deny tcp any any eq ftp
--> permit ip 172.16.30.160 0.0.0.15 any
!
interface Dialer12
--> ip access-group PROTECT_ACL out

paul driver
VIP
VIP

‎11-06-2020 01:43 AM - edited ‎11-07-2020 01:44 PM

Hello

@b2kzone-beniamin wrote:

Now I want to add a layer of security (I don't have firewall, so I use what i have a router

Two possible security features if supported my assist here-
CBAC or ZBFW, Attached are examples of both.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Preview file
2 KB

MHM Cisco World
VIP
VIP

‎11-06-2020 06:40 AM

there are three sub interface for your LAN

there is one dialer interface

 

for all must config the dialer list with permit any 

you can config ACL out the dialer interface 

 

you can config ACL in on each on your three LAN sub interface

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card