ACL impact on security vulnerability

Leftz · ‎06-02-2022

Hi CPU ACL are configured at wlc 3504 to remediate security vulnerability. We cannot find the difference between before and after making the config change. The ACLs are listed as below where ip address 10.10.10.20 is the wlc management interface. Anyone can share some experience or suggestions? Thank you

(Cisco Controller) >show ACL detailed CACL

Source Destination Source Port Dest Port

Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------

1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 12124-12125 0-65535 Any Permit 0

2 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 12124-12125 Any Permit 0

3 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 12134-12135 0-65535 Any Permit 0

4 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 12134-12135 Any Permit 0

5 In 0.0.0.0/0.0.0.0 10.10.10.20/255.255.255.255 6 0-65535 443-443 Any Permit 0

6 Out 10.10.10.20/255.255.255.255 0.0.0.0/0.0.0.0 6 443-443 0-65535 Any Permit 0

MHM Cisco World · ‎06-02-2022

please see my below comment

Flavio Miranda · ‎06-02-2022

Hi

How can you expect any change if you are allowing everyting to access your WLC ? This ACL and nothing is the same thing.

Define an specific network from where you can access you WLC and permit only this network. Deny everything else.

Leftz · ‎06-02-2022

Thank you very much for your nice reply!

@MHM Cisco World Yes, but it also should include Seq 2, 4 and 5, right?

MHM Cisco World · ‎06-02-2022

can I see exactly what you get from the WLC screen ? screenshot to make some note on it.

please see my below comment

MHM Cisco World · ‎06-02-2022

anyway
let explain to you
there are two
AP/client (any ip unknown port) WLC (management interface + known port)

so

AP build tunnel to WLC this tunnel for
inbound is
AP/client (any ip unknown port) WLC (management interface + known port)
Outbound is
WLC (management interface + known port) AP/client (any ip unknown port)

here what you mistake you config the direction ANY this make ACL never work,

and correct direction of the Seq 1-6 and then you can use it

Leftz · ‎06-02-2022

Thank you MHM.

After changing config, it can work, but client cannot access wifi. and maybe some ports still need to open. Not sure what its.

10.20.0.0 is source of administrator.

(Cisco Controller) >show acl detailed acl

Source Destination Source Port Dest Port

Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- --

1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 12124-12125 0-65535 Any Permit 0

2 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 12124-12125 Any Permit 0

3 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 12134-12135 0-65535 Any Permit 0

4 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 12134-12135 Any Permit 0

5 In 10.20.0.0/255.255.0.0 10.10.10.20/255.255.255.255 6 0-65535 443-443 Any Permit 0

6 Out 10.10.10.20/255.255.255.255 10.20.0.0/255.255.0.0 6 443-443 0-65535 Any Permit 0

DenyCounter : 0

MHM Cisco World · ‎06-02-2022

So you note about block traffic is right and that why cisco recommend deny SSH/Telnet and permit any in CPU ACL

So I make some change to you ACL
permit SSH from only one subnet and deny SSH from any after that, finally the ACL end with permit any any to allow other port and service to access WLC.

Source Destination Source Port Dest Port

Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- --

In 10.20.0.0/255.255.0.0 10.10.10.20/255.255.255.255 6 0-65535 443-443 Any Permit 0

Out 10.10.10.20/255.255.255.255 10.20.0.0/255.255.0.0 6 443-443 0-65535 Any Permit 0

In 0.0.0.0/0.0.0.0 10.10.10.20/255.255.255.255 6 0-65535 443-443 Any DENY 0

Out 10.10.10.20/255.255.255.255 0.0.0.0/0.0.0.0 6 443-443 0-65535 Any DENY 0

1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 any any Any Permit 0