Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 270
  • Last Modified:

ACL problem in Cisco 25xx routers.

I want to apply some restrictions to the network by using Extended ACL.

The restrictions are:

1. No restriction in Internal network.
2. Internal to External network: Telnet only.
3. External to Internal network: Can only make Telnet connection to one Router.

The Internal network is connected to External network by ONE serial connection.

All routers are Cisco 25xx series.

What access-lists should be applied to the network ?
Where should the access-list be applied to ?


regards,
Raymond
0
Raymond
Asked:
Raymond
  • 3
  • 2
  • 2
1 Solution
 
geoffrynCommented:
10.10.10.0  internal
192.168.1.0 external
10.10.10.31 router


access-list 101 permit tcp 10.10.10.0 0.0.0.255 eq 23 any gt 1023
access-list 101 permit tcp host 10.10.10.31 gt 1023 any eq 23
access-list 102 permit tcp 192.168.61.0 0.0.0.255 eq 23 10.10.10.31 gt 1023


router:<config-int "internal"> access-group 101 out
router:<config-int "external">access-group 102 in
0
 
svindlerCommented:
I'll reuse geoffryn's addresses, assuming class for both, though for the rest of geoffryn's suggestion I can only say: "geoffryn, don't smoke anything you can't buy in a supermarket" ;-) How about return traffic and what about those directions???

Based on the 1st restriction, I won't apply the acl's on the internal interface, as this will restrict access to the router itself, but on in and out on the external interface.

access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23
access-list 101 permit tcp host 10.10.10.31 eq 23 any gt 1023 established

access-list 102 permit tcp any eq 23 10.10.10.0 0.0.0.255 gt 1023 established
access-list 102 permit tcp any gt 1023 host 10.10.10.31 eq 23

router:<config-int "external">access-group 101 out
router:<config-int "external">access-group 102 in

Of course, if external network is only supposed to be 192.168.1.0 then "any" can be replace by "192.168.1.0 0.0.0.255"
0
 
geoffrynCommented:
You're right, thats just bad.

Never get in a hurry on too little caffine
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
RaymondAuthor Commented:
Thanx, svindler !

but I still have two questions regarding your suggested ACLs.

1. What is the different between
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23"
   and
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 23" ?

2. What does the keyword "established" mean ?

Thanx very much.


regards,
Raymond
0
 
geoffrynCommented:
The first specifies the the source port must be higher that 1023.  Originating a connection on a well known/service port is potentially exploitable.

The second specifies that the traffic will only be allowed if it is in response to a connection originating from the inside or "established"
0
 
svindlerCommented:
Adding "gt 1023" just ensures that the packet is from a normal program. The classic example is a filter on your border to the internet where you want to allow dns responses, via this incoming access-list entry:
access-list 101 permit udp any eq 53 any
This WILL allow dns replies. Unfortunately, it will also allow access to any udp service on the internal hosts, as long as the hacker is using port 53 as the source.
Changing the line to:
access-list 101 permit udp any eq 53 any gt 1023
will ensure that only requests will get back. If any services on internal hosts is running on udp ports greater than 1023, then you may be in trouble anyway.

"established" just checks for the "ACK" flag in the TCP header. This is normally only set when a connection is up and running. A hacker can still set the flag "manually" by creating a special packet but this is mostly used in denial-of-service attacks, not to compromise hosts, as they shouldn't create a new connection when the ACK flag is already set.
0
 
RaymondAuthor Commented:
Thanx a lot !!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now