Re: Recommended Access List On Dialer

silvakizir · ‎10-20-2018

Hi all.

I am not very good at security and I would like your help.

I have a Cisco 800 series router with a dialer (vdsl) and for this example it has let's say an IP: 60.60.60.60.

I have only one subnet (VLAN) for the lan and they only need surfing to the net.

I also have a simple site to site vpn with "crypto ipsec" and "crypto isakmp" with another site that has Cisco Router and/or Cisco ASA.

Can someone please type a recommended access-list that I can put in the dialer for ingress traffic in order to secure the network without blocking the site to site vpn???

Georg Pauwen · ‎10-20-2018

Hello,

typically, an anti spoofing access list applied inbound on the Dialer interface is sufficient. Your private site to site traffic is encrypted anyway.

That said, make sure your tunnel IP addresses are not blocked. Better to post the config of your 800 router...

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 permit ip any any

!

interface Dialer1

ip access-group 101 in

silvakizir · ‎01-15-2019

Hi my friend. This is my configuration.

*********************************************************************************************************

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
ip dhcp pool DATA
network 10.0.145.0 255.255.255.0
default-router 10.0.145.1
dns-server 8.8.8.8
!
ip name-server 8.8.8.8
!
controller VDSL 0
no cdp run
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp key xxxxxx address 70.70.70.70
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 70.70.70.70
set transform-set TSET
match address VPN-TRAFFIC
!
!
interface Ethernet0.835
encapsulation dot1Q 835
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.0.145.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
description ***VDSL Connection***
ip address negotiated
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxxx password 0 xxxxxx
no cdp enable
crypto map CMAP
!
!
!
ip nat inside source list NAT-TRAFFIC interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended NAT-TRAFFIC
deny   ip 10.0.145.0 0.0.0.255 10.0.100.0.0 0.0.0.255
permit ip 10.0.145.0 0.0.0.255 any
deny   ip any any
ip access-list extended VPN-TRAFFIC
permit ip 10.0.145.0 0.0.0.255 10.0.100.0 0.0.0.255
deny   ip any any
!
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
logging synchronous
login local
transport input ssh

*********************************************************************************************************

So you are saying that with the bellow access-list 101 you wrote I will be OK?

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log                     <=0.0.0.0/8 Is this right??
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log                 <=127.0.0.0/8
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log                 <=172.16.0.0/12
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log                 <=192.168.0.0/8
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log               <=224.0.0.0/4
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 permit ip any any

What about subnet 10.0.0.0/8 ??

If I want to deny also Pings to my public IP ??

Is there anything else that I should put in the ACL 101 ??

I don't have a firewall in front of my router so it must be a little bit strict and work as a kind of a firewall.

Thank you in advance!!

Georg Pauwen · ‎01-15-2019

Hello,

I have amended the access lists to deny pings and also to allow traffic between your 10.0.100.0 and 10.0.145.0 subnets:

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 permit ip 10.0.145.0 0.0.0.255 10.0.100.0.0 0.0.0.255
access-list 101 permit ip 10.0.100.0 0.0.0.255 10.0.145.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 permit ip any any

Richard Burts · ‎01-15-2019

The situation of the original poster is challenging. He wants to protect his network and does not have any firewall or other security device other than his router. I thought about the approach that is suggested in the original post (permit web browsing (HTTP and HTTPS) and permit the vpn traffic (ISAKMP is udp 500 and 4500 and esp which is the ip protocol for ipsec encrypted traffic) and deny every thing else) and quickly realized that this approach is flawed. For example in this approach DNS would not work. I suspect that there are some other services that his network needs which could be impacted by this approach. Then I thought about his follow up which was to deny ping. And I thought that perhaps we could come up with other things that they probably do not want coming into their network from the Internet. Probably they do not want incoming telnet or SSH, or SNMP, or what else?

HTH

Rick

HTH

Rick

silvakizir · ‎01-16-2019

Unfortunately we don't have a Firewall for the time being so this is the only thing we can do.
If you can provide us your opinion by agreeing or not with Georg Pauwen please go ahead.
Or if you have something else to add...
Thank you!

Richard Burts · ‎01-16-2019

There are two basic approaches to building an access list that will be applied on an interface that provides connectivity to outside:

1) deny things that you know you do not want and then permit everything else.

2) permit things that you know you do want and then deny everything else.

The first approach has less chance that it will have negative impact on your network but security is not as tight. The second approach is a bit more secure but does have the possibility that you may not correctly identify all the things that you need and therefore as you implement it some things will break and you will have to revise your access list each time you encounter one of these.

You need to decide which approach you want to use and then we can help you with the details of how to do it. The access list suggested by Georg uses the first approach which is probably easier and will be less likely to break network functionality. Probably it is more appropriate for someone who has limited skills in network security. But if you want really tight network security then perhaps you want the second approach and will need to think carefully about what you need to permit. (And if you want really tight network security then you need to think about whether an access list on a router is good enough - probably you want something that does stateful inspection like a firewall to provide that really tight security.)

HTH

Rick

HTH

Rick

silvakizir · ‎01-16-2019

Georg Pauwen thank you.
This router is used only for Web browsing without restrictions and for remote access to internal devices through Site to Site VPN.
If you think there are any additional ACLs that we can put in order to protect the inbound attacks please tell me.