04-18-2020 02:53 AM - edited 04-18-2020 03:07 AM
We have a private MPLS network (all private IP's) and would like to limit what traffic reaches certain areas.
SITE A
Servers (10.1.1.0/24)
Site B
LAN 1 (10.1.2.0/24)
LAN 2 (10.1.3.0/24)
LAN 3 (10.1.4.0/24)
For this question, we'll concentrate on SITE B ACL's (not SITE A)
We don't want the LAN's talking to each other so we have put an ACL on sub interface on the IN direction
eg LAN 1 allow ip 10.1.2.0/24 10.1.1.0/24 <<< SITE A server subnet. same with LAN & 3
Now normally you would apply an ACL on the outside interface of a router to prevent unwanted traffic entering that interface. I understand that you would normally place this on the IN direction.
So in the above case, a client at SITE B (picks a random port eg tcp 50001) and asks for a web page from a web server at SITE A on port tcp 80. The web server accepts the request on tcp 80 and responds to the request on tcp 50001 and the web page is displayed on client.
Now, I only want that web server to respond to requests from SITE B but do not want it to be able to initiate a connection to lets say RDP on tcp 3389 on a client on SITE B LAN1.
I know I can put an ACL on the outward interface of SITE B to deny tcp 3389 but that could involve making a lot of deny statements for other traffic.
Is there a way to ensure that only traffic from SITE B (the clients) can only initiate traffic and receive responses, but SITE A (the servers) can't initiate any traffic to SITE B. Bear in mind this is the outside interface of SITE B (as I'm aware I can block the servers at SITE A)
Basically looking for a minimal ACL for the outside interface of SITE B on the IN direction.
Would it be a case of just allowing the ephemeral ports in? eg 49152-65535
Solved! Go to Solution.
04-18-2020 03:50 AM - edited 04-18-2020 03:51 AM
Hi,
Understand that you may want to avoid using deny sentence in your ACL.
It's limited as router is not an stateful firewall to control the traffic initiation direction. Here is some trick on router:
If you want to control only TCP traffic, that would be simple using "establish" keyword in ACL sentence, which will could allow server's TCP response.
ip access-list extended OUTSIDE-IN permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.1.255 established
But for some case, if need to do the same thing with the UDP traffic or ICMP traffic as well, you will need to use Reflective ACL. You may take a look on the configuration guide (see the reference link).
Ref: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html
Ref: https://community.cisco.com/t5/security-documents/reflexive-access-list-on-ios/ta-p/3130741
04-18-2020 03:50 AM - edited 04-18-2020 03:51 AM
Hi,
Understand that you may want to avoid using deny sentence in your ACL.
It's limited as router is not an stateful firewall to control the traffic initiation direction. Here is some trick on router:
If you want to control only TCP traffic, that would be simple using "establish" keyword in ACL sentence, which will could allow server's TCP response.
ip access-list extended OUTSIDE-IN permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.1.255 established
But for some case, if need to do the same thing with the UDP traffic or ICMP traffic as well, you will need to use Reflective ACL. You may take a look on the configuration guide (see the reference link).
Ref: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html
Ref: https://community.cisco.com/t5/security-documents/reflexive-access-list-on-ios/ta-p/3130741
04-19-2020 11:59 PM
Brill. Exactly what I was looking for. Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: