Solved: Re: Routing & ACL direction question

louis0001 · ‎04-18-2020

We have a private MPLS network (all private IP's) and would like to limit what traffic reaches certain areas.

SITE A

Servers (10.1.1.0/24)

Site B

LAN 1 (10.1.2.0/24)

LAN 2 (10.1.3.0/24)

LAN 3 (10.1.4.0/24)

For this question, we'll concentrate on SITE B ACL's (not SITE A)

We don't want the LAN's talking to each other so we have put an ACL on sub interface on the IN direction

eg LAN 1 allow ip 10.1.2.0/24 10.1.1.0/24 <<< SITE A server subnet. same with LAN & 3

Now normally you would apply an ACL on the outside interface of a router to prevent unwanted traffic entering that interface. I understand that you would normally place this on the IN direction.

So in the above case, a client at SITE B (picks a random port eg tcp 50001) and asks for a web page from a web server at SITE A on port tcp 80. The web server accepts the request on tcp 80 and responds to the request on tcp 50001 and the web page is displayed on client.

Now, I only want that web server to respond to requests from SITE B but do not want it to be able to initiate a connection to lets say RDP on tcp 3389 on a client on SITE B LAN1.

I know I can put an ACL on the outward interface of SITE B to deny tcp 3389 but that could involve making a lot of deny statements for other traffic.

Is there a way to ensure that only traffic from SITE B (the clients) can only initiate traffic and receive responses, but SITE A (the servers) can't initiate any traffic to SITE B. Bear in mind this is the outside interface of SITE B (as I'm aware I can block the servers at SITE A)

Basically looking for a minimal ACL for the outside interface of SITE B on the IN direction.

Would it be a case of just allowing the ephemeral ports in? eg 49152-65535

ngkin2010 · ‎04-18-2020

Hi,

Understand that you may want to avoid using deny sentence in your ACL.

It's limited as router is not an stateful firewall to control the traffic initiation direction. Here is some trick on router:

If you want to control only TCP traffic, that would be simple using "establish" keyword in ACL sentence, which will could allow server's TCP response.

ip access-list extended OUTSIDE-IN
permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.1.255 established

But for some case, if need to do the same thing with the UDP traffic or ICMP traffic as well, you will need to use Reflective ACL. You may take a look on the configuration guide (see the reference link).

Ref: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html
Ref: https://community.cisco.com/t5/security-documents/reflexive-access-list-on-ios/ta-p/3130741

View solution in original post

ngkin2010 · ‎04-18-2020

Hi,

Understand that you may want to avoid using deny sentence in your ACL.

It's limited as router is not an stateful firewall to control the traffic initiation direction. Here is some trick on router:

If you want to control only TCP traffic, that would be simple using "establish" keyword in ACL sentence, which will could allow server's TCP response.

ip access-list extended OUTSIDE-IN
permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.1.255 established

But for some case, if need to do the same thing with the UDP traffic or ICMP traffic as well, you will need to use Reflective ACL. You may take a look on the configuration guide (see the reference link).

Ref: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html
Ref: https://community.cisco.com/t5/security-documents/reflexive-access-list-on-ios/ta-p/3130741

louis0001 · ‎04-19-2020

Brill. Exactly what I was looking for. Thank you.