Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ACL problem in Cisco 25xx routers.

Posted on 2002-03-08
7
Medium Priority
?
266 Views
Last Modified: 2013-11-29
I want to apply some restrictions to the network by using Extended ACL.

The restrictions are:

1. No restriction in Internal network.
2. Internal to External network: Telnet only.
3. External to Internal network: Can only make Telnet connection to one Router.

The Internal network is connected to External network by ONE serial connection.

All routers are Cisco 25xx series.

What access-lists should be applied to the network ?
Where should the access-list be applied to ?


regards,
Raymond
0
Comment
Question by:Raymond
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6851330
10.10.10.0  internal
192.168.1.0 external
10.10.10.31 router


access-list 101 permit tcp 10.10.10.0 0.0.0.255 eq 23 any gt 1023
access-list 101 permit tcp host 10.10.10.31 gt 1023 any eq 23
access-list 102 permit tcp 192.168.61.0 0.0.0.255 eq 23 10.10.10.31 gt 1023


router:<config-int "internal"> access-group 101 out
router:<config-int "external">access-group 102 in
0
 
LVL 4

Expert Comment

by:svindler
ID: 6851767
I'll reuse geoffryn's addresses, assuming class for both, though for the rest of geoffryn's suggestion I can only say: "geoffryn, don't smoke anything you can't buy in a supermarket" ;-) How about return traffic and what about those directions???

Based on the 1st restriction, I won't apply the acl's on the internal interface, as this will restrict access to the router itself, but on in and out on the external interface.

access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23
access-list 101 permit tcp host 10.10.10.31 eq 23 any gt 1023 established

access-list 102 permit tcp any eq 23 10.10.10.0 0.0.0.255 gt 1023 established
access-list 102 permit tcp any gt 1023 host 10.10.10.31 eq 23

router:<config-int "external">access-group 101 out
router:<config-int "external">access-group 102 in

Of course, if external network is only supposed to be 192.168.1.0 then "any" can be replace by "192.168.1.0 0.0.0.255"
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6851807
You're right, thats just bad.

Never get in a hurry on too little caffine
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:Raymond
ID: 6852378
Thanx, svindler !

but I still have two questions regarding your suggested ACLs.

1. What is the different between
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23"
   and
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 23" ?

2. What does the keyword "established" mean ?

Thanx very much.


regards,
Raymond
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6853828
The first specifies the the source port must be higher that 1023.  Originating a connection on a well known/service port is potentially exploitable.

The second specifies that the traffic will only be allowed if it is in response to a connection originating from the inside or "established"
0
 
LVL 4

Accepted Solution

by:
svindler earned 800 total points
ID: 6854809
Adding "gt 1023" just ensures that the packet is from a normal program. The classic example is a filter on your border to the internet where you want to allow dns responses, via this incoming access-list entry:
access-list 101 permit udp any eq 53 any
This WILL allow dns replies. Unfortunately, it will also allow access to any udp service on the internal hosts, as long as the hacker is using port 53 as the source.
Changing the line to:
access-list 101 permit udp any eq 53 any gt 1023
will ensure that only requests will get back. If any services on internal hosts is running on udp ports greater than 1023, then you may be in trouble anyway.

"established" just checks for the "ACK" flag in the TCP header. This is normally only set when a connection is up and running. A hacker can still set the flag "manually" by creating a special packet but this is mostly used in denial-of-service attacks, not to compromise hosts, as they shouldn't create a new connection when the ACK flag is already set.
0
 

Author Comment

by:Raymond
ID: 6864552
Thanx a lot !!!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question