Solved

ACL problem in Cisco 25xx routers.

Posted on 2002-03-08
7
258 Views
Last Modified: 2013-11-29
I want to apply some restrictions to the network by using Extended ACL.

The restrictions are:

1. No restriction in Internal network.
2. Internal to External network: Telnet only.
3. External to Internal network: Can only make Telnet connection to one Router.

The Internal network is connected to External network by ONE serial connection.

All routers are Cisco 25xx series.

What access-lists should be applied to the network ?
Where should the access-list be applied to ?


regards,
Raymond
0
Comment
Question by:Raymond
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6851330
10.10.10.0  internal
192.168.1.0 external
10.10.10.31 router


access-list 101 permit tcp 10.10.10.0 0.0.0.255 eq 23 any gt 1023
access-list 101 permit tcp host 10.10.10.31 gt 1023 any eq 23
access-list 102 permit tcp 192.168.61.0 0.0.0.255 eq 23 10.10.10.31 gt 1023


router:<config-int "internal"> access-group 101 out
router:<config-int "external">access-group 102 in
0
 
LVL 4

Expert Comment

by:svindler
ID: 6851767
I'll reuse geoffryn's addresses, assuming class for both, though for the rest of geoffryn's suggestion I can only say: "geoffryn, don't smoke anything you can't buy in a supermarket" ;-) How about return traffic and what about those directions???

Based on the 1st restriction, I won't apply the acl's on the internal interface, as this will restrict access to the router itself, but on in and out on the external interface.

access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23
access-list 101 permit tcp host 10.10.10.31 eq 23 any gt 1023 established

access-list 102 permit tcp any eq 23 10.10.10.0 0.0.0.255 gt 1023 established
access-list 102 permit tcp any gt 1023 host 10.10.10.31 eq 23

router:<config-int "external">access-group 101 out
router:<config-int "external">access-group 102 in

Of course, if external network is only supposed to be 192.168.1.0 then "any" can be replace by "192.168.1.0 0.0.0.255"
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6851807
You're right, thats just bad.

Never get in a hurry on too little caffine
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:Raymond
ID: 6852378
Thanx, svindler !

but I still have two questions regarding your suggested ACLs.

1. What is the different between
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23"
   and
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 23" ?

2. What does the keyword "established" mean ?

Thanx very much.


regards,
Raymond
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6853828
The first specifies the the source port must be higher that 1023.  Originating a connection on a well known/service port is potentially exploitable.

The second specifies that the traffic will only be allowed if it is in response to a connection originating from the inside or "established"
0
 
LVL 4

Accepted Solution

by:
svindler earned 200 total points
ID: 6854809
Adding "gt 1023" just ensures that the packet is from a normal program. The classic example is a filter on your border to the internet where you want to allow dns responses, via this incoming access-list entry:
access-list 101 permit udp any eq 53 any
This WILL allow dns replies. Unfortunately, it will also allow access to any udp service on the internal hosts, as long as the hacker is using port 53 as the source.
Changing the line to:
access-list 101 permit udp any eq 53 any gt 1023
will ensure that only requests will get back. If any services on internal hosts is running on udp ports greater than 1023, then you may be in trouble anyway.

"established" just checks for the "ACK" flag in the TCP header. This is normally only set when a connection is up and running. A hacker can still set the flag "manually" by creating a special packet but this is mostly used in denial-of-service attacks, not to compromise hosts, as they shouldn't create a new connection when the ACK flag is already set.
0
 

Author Comment

by:Raymond
ID: 6864552
Thanx a lot !!!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Make the most of your online learning experience.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question