Will my access-list work on home LAN ?

lukaszdobrzanski · ‎06-15-2015

Hi everyone,

Could you please look into my access-list applied to my router and tell me if this will be enough to secure home network.

I use Cisco 887W router with the following scenario: VLAN1 & WLAN1 - 192.168.1.0 255.255.255.0 defaul gateway - 192.168.1.1

VLAN10 - connection to ISP using dynamic dhcp.

I came up with the following access-lists:

version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco887W
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
clock timezone NZST 12 0
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool Pool1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name local
dns-server 4.2.2.2
!
!
!
!
ip domain name local
ip inspect name OUTSIDE ftp
ip inspect name OUTSIDE icmp
ip inspect name OUTSIDE tcp
ip inspect name OUTSIDE udp
ip inspect name OUTSIDE dns
ip cef
no ipv6 cef
!
!
cts logging verbose
license udi pid CISCO887W-GN-A-K9 sn FGL1539201C
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
description UFB
switchport access vlan 10
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface wlan-ap0
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group VLAN-1 in
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
description UFB
ip address dhcp
ip access-group VLAN-10 in
ip accounting output-packets
ip flow ingress
ip nat outside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Vlan10 overload
ip route 0.0.0.0 0.0.0.0 Vlan10 dhcp
!
ip access-list extended OUTSIDE
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended VLAN-1
permit ip 192.168.1.0 0.0.0.255 any
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1
ip access-list extended VLAN-10
permit ip 192.168.0.0 0.0.1.255 any
permit udp host 192.168.1.1 eq ntp any
permit tcp any any eq 3389
permit udp any eq domain any
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any administratively-prohibited
permit icmp any any echo
!
!
!
alias exec c copy running-config startup-config
alias exec s show ip interface brief
!
line con 0
logging synchronous
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
login
transport input none
!
ntp server 203.173.195.107
!
end

Please let me know if this configuration will work.

Shawn Guertin · ‎06-25-2015

I don't know what are the best practices, but I would use an access list on the line vty 0 4 as there are random robots scanning the internet (even residential IPs) for SSH and try common username and passwords. here is an example of sho log:

Jun 22 09:03:42: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ftpuser] [Source: 109.236.24.191] [localport: 22] [Reason: Login Authentication Failed] at 09:03:42 EDT Mon Jun 22 2015
Jun 22 09:05:37: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cisco] [Source: 182.75.48.102] [localport: 22] [Reason: Login Authentication Failed] at 09:05:37 EDT Mon Jun 22 2015
Jun 22 09:11:11: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ubnt] [Source: 115.248.25.5] [localport: 22] [Reason: Login Authentication Failed] at 09:11:11 EDT Mon Jun 22 2015

I can't help you overly secure your WAN access since I only use the Nat as an input restriction, but I used an NSA doc to secure the router itself: https://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf

I have a 881 at home, the difference comes from interface Fa4, its a router interface (no need for a Vlan10). You might be curious so I will allow you to compare:

interface FastEthernet0
no ip address
!On Vlan 1 by default
interface FastEthernet1
no ip address
!On Vlan 1 by default
interface FastEthernet2
no ip address
!On Vlan 1 by default
interface FastEthernet3
no ip address
!On Vlan 1 by default
!
interface FastEthernet4
description WAN Interface
!This model has a router interface
ip address DHCP
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
description Main Vlan
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
ip nat inside source list NAT-List interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet4 80
!The last one was to redirect external http requests to 192.168.1.10
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list standard NAT-List
permit 192.168.1.0 0.0.0.255
ip access-list standard SSH-Access
permit 192.168.1.0 0.0.0.255
deny any
!
!

line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all

access-class SSH-Access in
exec-timeout 60 0
transport input ssh
!
!
end