cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
441
Views
5
Helpful
7
Replies
Beginner

Recommended Access List On Dialer

Hi all.

I am not very good at security and I would like your help.

I have a Cisco 800 series router with a dialer (vdsl) and for this example it has let's say an IP: 60.60.60.60.

I have only one subnet (VLAN) for the lan and they only need surfing to the net.

I also have a simple site to site vpn with "crypto ipsec" and "crypto isakmp" with another site that has Cisco Router and/or Cisco ASA.

 

Can someone please type a recommended access-list that I can put in the dialer for ingress traffic in order to secure the network without blocking the site to site vpn???

Everyone's tags (3)
7 REPLIES 7
VIP Mentor

Re: Recommended Access List On Dialer

Hello,

 

typically, an anti spoofing access list applied inbound on the Dialer interface is sufficient. Your private site to site traffic is encrypted anyway.

That said, make sure your tunnel IP addresses are not blocked. Better to post the config of your 800 router...

 

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 permit ip any any

!

interface Dialer1

ip access-group 101 in

 

Highlighted
Beginner

Re: Recommended Access List On Dialer

Hi my friend. This is my configuration.


*********************************************************************************************************

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
ip dhcp pool DATA
network 10.0.145.0 255.255.255.0
 default-router 10.0.145.1
 dns-server 8.8.8.8
!
ip name-server 8.8.8.8
!
controller VDSL 0
no cdp run
!
crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
!
crypto isakmp key xxxxxx address 70.70.70.70
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
 set peer 70.70.70.70
 set transform-set TSET
 match address VPN-TRAFFIC
!
!
interface Ethernet0.835
 encapsulation dot1Q 835
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 10.0.145.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 description ***VDSL Connection***
 ip address negotiated
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname xxxxxx
 ppp chap password 0 xxxxxx
 ppp pap sent-username xxxxxxx password 0 xxxxxx
 no cdp enable
 crypto map CMAP
!
!
!
ip nat inside source list NAT-TRAFFIC interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended NAT-TRAFFIC
 deny   ip 10.0.145.0 0.0.0.255 10.0.100.0.0 0.0.0.255
 permit ip 10.0.145.0 0.0.0.255 any
 deny   ip any any
ip access-list extended VPN-TRAFFIC
 permit ip 10.0.145.0 0.0.0.255 10.0.100.0 0.0.0.255
 deny   ip any any
!
!
!
line con 0
 logging synchronous
 login local
 no modem enable
line aux 0
line vty 0 4
 logging synchronous
 login local
 transport input ssh

*********************************************************************************************************

 

So you are saying that with the bellow access-list 101 you wrote I will be OK?

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log                     <=0.0.0.0/8 Is this right??
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log                 <=127.0.0.0/8
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log                 <=172.16.0.0/12
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log                 <=192.168.0.0/8
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log               <=224.0.0.0/4
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 permit ip any any

 

 

What about subnet 10.0.0.0/8 ??

If I want to deny also Pings to my public IP ??

Is there anything else that I should put in the ACL 101 ??

I don't have a firewall in front of my router so it must be a little bit strict and work as a kind of a firewall.

 

Thank you in advance!!

VIP Mentor

Re: Recommended Access List On Dialer

Hello,

 

I have amended the access lists to deny pings and also to allow traffic between your 10.0.100.0 and 10.0.145.0 subnets:

 

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 permit ip 10.0.145.0 0.0.0.255 10.0.100.0.0 0.0.0.255
access-list 101 permit ip 10.0.100.0 0.0.0.255 10.0.145.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 permit ip any any

Hall of Fame Master

Re: Recommended Access List On Dialer

The situation of the original poster is challenging. He wants to protect his network and does not have any firewall or other security device other than his router. I thought about the approach that is suggested in the original post (permit web browsing (HTTP and HTTPS) and permit the vpn traffic (ISAKMP is udp 500 and 4500 and esp which is the ip protocol for ipsec encrypted traffic) and deny every thing else) and quickly realized that this approach is flawed. For example in this approach DNS would not work. I suspect that there are some other services that his network needs which could be impacted by this approach. Then I thought about his follow up which was to deny ping. And I thought that perhaps we could come up with other things that they probably do not want coming into their network from the Internet. Probably they do not want incoming telnet or SSH, or SNMP, or what else?

 

HTH

 

Rick

Beginner

Re: Recommended Access List On Dialer

Unfortunately we don't have a Firewall for the time being so this is the only thing we can do.
If you can provide us your opinion by agreeing or not with Georg Pauwen please go ahead.
Or if you have something else to add...
Thank you!
Hall of Fame Master

Re: Recommended Access List On Dialer

There are two basic approaches to building an access list that will be applied on an interface that provides connectivity to outside:

1) deny things that you know you do not want and then permit everything else.

2) permit things that you know you do want and then deny everything else.

The first approach has less chance that it will have negative impact on your network but security is not as tight. The second approach is a bit more secure but does have the possibility that you may not correctly identify all the things that you need and therefore as you implement it some things will break and you will have to revise your access list each time you encounter one of these. 

 

You need to decide which approach you want to use and then we can help you with the details of how to do it. The access list suggested by Georg uses the first approach which is probably easier and will be less likely to break network functionality. Probably it is more appropriate for someone who has limited skills in network security. But if you want really tight network security then perhaps you want the second approach and will need to think carefully about what you need to permit. (And if you want really tight network security then you need to think about whether an access list on a router is good enough - probably you want something that does stateful inspection like a firewall to provide that really tight security.)

 

HTH

 

Rick

Beginner

Re: Recommended Access List On Dialer

Georg Pauwen thank you.
This router is used only for Web browsing without restrictions and for remote access to internal devices through Site to Site VPN.
If you think there are any additional ACLs that we can put in order to protect the inbound attacks please tell me.
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards