Solved

need ACL for my 3640 to permit HTTP, email, and DNS

Posted on 2002-04-17
5
780 Views
Last Modified: 2007-11-27
Assume webserver ip of 63.63.63.63 SSL server 63.63.63.64 smtp 63.63.63.65 pop/imap server 63.6363.66 dns server 63.63.63.67 dns slave 66.66.66.66 and local users on network 63.63.63.0/24

I'm trying to configure my ACL to allow outsite users access (and protect) my servers and at the same time allow give my local users access to http,https,ftp and email. I plan to put the following on Serial interface.


local net of 63.63.63.0/24

>>>incoming traffic<<<<<<<<

remark PROTECT FTP
access-list 101 permit tcp any gt 1023 host 63.63.63.63 eq 21
access-list 101 permit tcp any gt 1023 host 63.63.63.63 eq 20 established
access-list 101 permit tcp any gt 1023 host 63.63.63.63 gt 1023
access-list 101 permit tcp any 21 host 63.63.63.63 gt 1023 established
access-list 101 permit tcp any 20 host 63.63.63.63 gt 1023
access-list 101 permit tcp gt 1023 host 63.63.63.63 gt 1023 established
remark PROTECT HTTP
access-list 101 permit tcp any gt 1023 host 63.6.63.63 80
access-list 101 permit tcp any 80 63.63.63.0 0.0.0.255 gt 1023 established
access-list 101 permit tcp any gt 1023 host 63.6.63.64 443
access-list 101 permit tcp any 443 63.63.63.0 0.0.0.255 gt 1023 established
remark PROTECT EMAIL
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 25
access-list 101 permit tcp any gt 1023 63.63.63.0 0.0.0.255 eq 25
access-list 101 permit tcp any gt 1023 host 63.63.63.66 eq 110
access-list 101 permit tcp any gt 1023 host 63.63.63.66 eq 143
remark PROTECT DNS
access-list 101 permit tcp host 63.63.63.66 gt 1023 any eq 53
access-list 101 permit udp host 63.63.63.66 gt 1023 any eq 53
access-list 101 permit host 63.63.63.66 host gt 1023 66.66.66.66 53
deny any any







>>>outgoing traffic<<<<<<<<<


remark PROTECT FTP
access-list 102 permit tcp 63.63.63.0 0.0.255 21 any gt 1023 any established
access-list 102 permit tcp 63.63.63.0 0.0.255 20 any gt 1023 any
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any gt 1023 established
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any 21
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any 20 established
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any gt 1023
remark PROTECT HTTP
access-list 102 permit tcp 63.63.63.0 80 any gt 1023 established
access-list 102 63.63.63.0 0.0.0.255 gt 1023 any 80
access-list 102 permit tcp 63.63.63.0 443 any gt 1023 established
access-list 102 63.63.63.0 0.0.0.255 gt 1023 any 443
remark PROTECT EMAIL
access-list 101 permit tcp any gt 1023 any eq 25
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 110
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 143
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 110
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 143
remark PROTECT DNS
access-list 101 permit tcp host 63.63.63.67 gt 1023 any eq 53
access-list 101 permit udp host 63.63.63.67 gt 1023 any eq 53
access-list 101 permit tcp host 63.63.63.67 host 66.66.66.66 eq 53
deny any any


0
Comment
Question by:duficy
5 Comments
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
What exactly is your question?

Also as an FYI, the "deny any any" is redundant since this is implied at the bottom of any ACL.
0
 

Author Comment

by:duficy
Comment Utility
My question is will the list allow customers on the outside to access the listed  services but block other services and allow my users on my network to access these services on the Internet.

>>Also as an FYI, the "deny any any" is redundant


Thanks I thought I read somewhere that it was a good idea to add this albeit redunant statement.

Thanks,
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 50 total points
Comment Utility
Ahh - well my answer would be that if want real protection, you should go with a firewall - or at least the firewall feature set on your router.  However, if you truly can only go with an ACL, there are a few changes I would make:

First off in your inbound list, you have a number of lines allowing established sessions to come back from certain ports.  Are you really that concerned over what can come back when its already been established?  You could simplify this with one line allowing all traffic to come back to ports gt 1023 established.  This will remove 5 or 6 lines from your ACL and won't change functionality.

On somewhat the same note for your outbound list - why do you care whether or not the traffic is established going out?  I would remove the "established" keywords from your outbound list.  Remember that the less checking the processor has to do the better and this really serves no purpose unless you are afraid that somebody on the inside of your network is going to use one of the well known ports as a source when trying to establish a session.

Another thing - look at the following lines from the outbound:

access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 110
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 143
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 110
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 143

This makes no sense to me.  Unless this list is going to be applied to two different interfaces, I don't understand this.  The first 2 lines above have traffic going to the 63.63.63.0/24 subnet and the second two have it coming FROM that subnet.  When you apply this list to an interface, how is that possible?

Another thing that I see all over the place - you allow a number of things coming in but don't allow them back out.  For example, you allow DNS requests to come in on port 53, but I don't see you allowing it outbound.  Instead you allow an outbound session to destination 53 rather than from source 53 to allow the reply.  Therefore, you are nullifying the fact that you allowed the traffic inbound.

The only other question I have is regarding your outbound policy in general - most people allow anything outbound, but restrict inbound.  This is the default behaviour of the PIX and most firewalls.  Are you sure this isn't what you want?

Hopefully this gets you going int the right direction.  There are probably some other things I have missed in haste, and I have typically found that ACL's are a lot of trial and error.

Good luck!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
Comment Utility
I agree with scraig84. Forget about restricting outbound traffic and only restrict inbound.

Since all of your servers are on the same subnet as your users, then they are on the same interface and the packets will never even hit the router, let alone the access list.

Here's my suggestion:

logg buff 4096

Interface serial 0/0
 ip access-group 101 in

access-list 101 permit icmp any any
access-list 101 permit tcp any host 63.63.63.63 eq 80
access-list 101 permit tcp any host 63.63.63.64 eq 443
access-list 101 permit tcp any host 63.63.63.65 eq 25
access-list 101 permit tcp any host 63.63.63.66 eq 110
access-list 101 permit tcp any host 63.63.63.66 eq 143
access-list 101 permit udp any host 63.63.63.67 eq 53
access-list 101 permit udp any host 63.63.63.66 eq 53
access-list 101 permit tcp any 63.63.63.0 0.0.0.255 established
access-list 101 deny any any log

You need to allow some icmp, but not everyting.

You can see the hits (and misses) with the log keyword.

use show ip access-list and sho log
The log entries will show you denied packets source and destination to let you know if you need to open something up, and the access-list hit count will let you know the other entries are doing their job.

Then you can add more entries for blocking some icmp, anti-spoofing, code-red, etc...

Some resources.
http://www.nwc.com/907/907ws1.html
http://rr.sans.org/firewall/blocking_cisco.php
http://rr.sans.org/firewall/router2.php
http://nsa1.www.conxion.com/cisco/


0
 

Expert Comment

by:CleanupPing
Comment Utility
duficy:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now