Solved

ACL problem in Cisco 25xx routers.

Posted on 2002-03-08
7
248 Views
Last Modified: 2013-11-29
I want to apply some restrictions to the network by using Extended ACL.

The restrictions are:

1. No restriction in Internal network.
2. Internal to External network: Telnet only.
3. External to Internal network: Can only make Telnet connection to one Router.

The Internal network is connected to External network by ONE serial connection.

All routers are Cisco 25xx series.

What access-lists should be applied to the network ?
Where should the access-list be applied to ?


regards,
Raymond
0
Comment
Question by:Raymond
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6851330
10.10.10.0  internal
192.168.1.0 external
10.10.10.31 router


access-list 101 permit tcp 10.10.10.0 0.0.0.255 eq 23 any gt 1023
access-list 101 permit tcp host 10.10.10.31 gt 1023 any eq 23
access-list 102 permit tcp 192.168.61.0 0.0.0.255 eq 23 10.10.10.31 gt 1023


router:<config-int "internal"> access-group 101 out
router:<config-int "external">access-group 102 in
0
 
LVL 4

Expert Comment

by:svindler
ID: 6851767
I'll reuse geoffryn's addresses, assuming class for both, though for the rest of geoffryn's suggestion I can only say: "geoffryn, don't smoke anything you can't buy in a supermarket" ;-) How about return traffic and what about those directions???

Based on the 1st restriction, I won't apply the acl's on the internal interface, as this will restrict access to the router itself, but on in and out on the external interface.

access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23
access-list 101 permit tcp host 10.10.10.31 eq 23 any gt 1023 established

access-list 102 permit tcp any eq 23 10.10.10.0 0.0.0.255 gt 1023 established
access-list 102 permit tcp any gt 1023 host 10.10.10.31 eq 23

router:<config-int "external">access-group 101 out
router:<config-int "external">access-group 102 in

Of course, if external network is only supposed to be 192.168.1.0 then "any" can be replace by "192.168.1.0 0.0.0.255"
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6851807
You're right, thats just bad.

Never get in a hurry on too little caffine
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Raymond
ID: 6852378
Thanx, svindler !

but I still have two questions regarding your suggested ACLs.

1. What is the different between
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23"
   and
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 23" ?

2. What does the keyword "established" mean ?

Thanx very much.


regards,
Raymond
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6853828
The first specifies the the source port must be higher that 1023.  Originating a connection on a well known/service port is potentially exploitable.

The second specifies that the traffic will only be allowed if it is in response to a connection originating from the inside or "established"
0
 
LVL 4

Accepted Solution

by:
svindler earned 200 total points
ID: 6854809
Adding "gt 1023" just ensures that the packet is from a normal program. The classic example is a filter on your border to the internet where you want to allow dns responses, via this incoming access-list entry:
access-list 101 permit udp any eq 53 any
This WILL allow dns replies. Unfortunately, it will also allow access to any udp service on the internal hosts, as long as the hacker is using port 53 as the source.
Changing the line to:
access-list 101 permit udp any eq 53 any gt 1023
will ensure that only requests will get back. If any services on internal hosts is running on udp ports greater than 1023, then you may be in trouble anyway.

"established" just checks for the "ACK" flag in the TCP header. This is normally only set when a connection is up and running. A hacker can still set the flag "manually" by creating a special packet but this is mostly used in denial-of-service attacks, not to compromise hosts, as they shouldn't create a new connection when the ACK flag is already set.
0
 

Author Comment

by:Raymond
ID: 6864552
Thanx a lot !!!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
using BGP Attributes 2 84
Hybrid WAN vs SD WAN 4 51
Dell Powerconnect Switch lost username/password 2 39
Cisco WLAN 5520 licensing 10 33
Let’s list some of the technologies that enable smooth teleworking. 
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question