Solved

Cisco 2600 - How to block all ports except a few - ACLs

Posted on 2003-10-24
9
754 Views
Last Modified: 2010-05-18
We currently have a Cisco 2600 that we use to access the internet.  It is running NAT and we have some static mappings to servers behind the NAT.  Currently it looks like our Cisco is wide open and anyone can get it.  We would like to block all ports except for a few.  How do we do this?  We have attempted to use ACLs, but every time we apply them to the serial interface it blocks everything.  We can't browse the internet through this router after we make the change.  What are we missing?  Below is our current configuration for the router.  Could someone give me step by step instructions on how we should setup this router to block all ports except for the following ports:

25
23
80
443
53 - DNS
3389 - Terminal Services
5631 - PcAnywhere
5632 - PcAnywhere
42508 - Virus Scanner Admin

The only thing I can guess is maybe because we are using NAT that by blocking all ports it is some how stopping the NAT.  Is that possible.  Here is our router configuration (I have taken out my specific Public IPs and replaced with letters):

Current configuration:
!
version 11.3
service password-encryption
!
hostname XXXXXXXXX
!
enable secret XXXXXXX
enable password XXXXXXXX
!
ip subnet-zero
ip nat translation timeout 300
ip nat pool BCI aaa.b.ccc.198 aaa.b.ccc.222 netmask 255.255.255.224
ip nat inside source list 1 pool BCI overload
ip nat inside source static tcp 192.168.1.11 3389 aaa.b.ccc.194 3389 extendable
ip nat inside source static tcp 192.168.1.89 5632 aaa.b.ccc.195 5632 extendable
ip nat inside source static tcp 192.168.1.89 5631 aaa.b.ccc.195 5631 extendable
ip nat inside source static tcp 192.168.1.2 110 aaa.b.ccc.193 110 extendable
ip nat inside source static tcp 192.168.1.2 25 aaa.b.ccc.193 25 extendable
ip nat inside source static tcp 192.168.1.200 80 aaa.b.ccc.196 80 extendable
ip nat inside source static tcp 192.168.1.200 443 aaa.b.ccc.196 443 extendable
ip nat inside source static tcp 192.168.1.203 80 aaa.b.ccc.197 80 extendable
ip nat inside source static tcp 192.168.1.203 443 aaa.b.ccc.197 443 extendable
ip name-server xx.xxx.xx.x
ip name-server xx.xxx.xx.x
ip ftp username anonymous
ip ftp password XXXXXXXXXXX
!
!
!
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface Serial0/0
 ip address aaa.b.ccc.182 255.255.255.252
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 bandwidth 1544
 no fair-queue
 no service-module t1 remote-loopback full
!
****NOTE*****These Routes below are because we have a second router which hooks to our privite WAN going to our other offices.)

ip classless
ip route 0.0.0.0 0.0.0.0 aaa.b.ccc.181
ip route 192.168.2.0 255.255.255.0 192.168.1.250
ip route 192.168.3.0 255.255.255.0 192.168.1.250
ip route 192.168.4.0 255.255.255.0 192.168.1.250
ip route 192.168.5.0 255.255.255.0 192.168.1.250
ip route 192.168.6.0 255.255.255.0 192.168.1.250
ip route 192.168.7.0 255.255.255.0 192.168.1.250
ip route 192.168.8.0 255.255.255.0 192.168.1.250
ip route 192.168.9.0 255.255.255.0 192.168.1.250
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 password 7 0215145419121C
 logging synchronous
 login
!
end

Ethernet0/0 is up, line protocol is up
  Hardware is AmdP2, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
  Internet address is 192.168.1.1/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 2/255
  Encapsulation ARPA, loopback not set, keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 4/75, 67500 drops
  5 minute input rate 69000 bits/sec, 108 packets/sec
  5 minute output rate 97000 bits/sec, 108 packets/sec
     60988608 packets input, 1948692328 bytes, 0 no buffer
     Received 2542602 broadcasts, 0 runts, 0 giants, 0 throttles
     844 input errors, 0 CRC, 0 frame, 0 overrun, 844 ignored, 0 abort
     0 input packets with dribble condition detected
     60508201 packets output, 1881484183 bytes, 0 underruns
     5 output errors, 631606 collisions, 1 interface resets
     0 babbles, 0 late collision, 982818 deferred
     5 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Serial0/0 is up, line protocol is up
  Hardware is PQUICC with Fractional T1 CSU/DSU
  Internet address is aaa.b.ccc.182/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 4/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 373 drops; input queue 0/75, 1312 drops
  5 minute input rate 61000 bits/sec, 63 packets/sec
  5 minute output rate 30000 bits/sec, 61 packets/sec
     143732267 packets input, 2921237736 bytes, 0 no buffer
     Received 531975 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     141669120 packets output, 2746333985 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Standard IP access list 1
    permit 192.168.0.0, wildcard bits 0.0.255.255
    permit 10.1.1.0, wildcard bits 0.0.0.255

Any help that we can get would be very appreciated.  Thank you.
0
Comment
Question by:sqwasi
  • 4
  • 4
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
Not hard at all...

Try this on:

ip access-list extended inbound
 permit tcp any any established  <--- this is probably what you're missing
 permit udp any eq 53 any         <--- along with the dns
 permit tcp any host aaa.b.ccc.194 eq 3389
 permit tcp any host aaa.b.ccc.193 eq 110
 permit tcp any host aaa.b.ccc.193 eq 25
 permit tcp any host aaa.b.ccc.196 eq 80
 permit tcp any host aaa.b.ccc.196 eq 443
 permit tcp any host aaa.b.ccc.197 eq 80
 permit tcp any host aaa.b.ccc.197 eq 443
 permit tcp any host aaa.b.ccc.195 eq 5632
 permit tcp any host aaa.b.ccc.195 eq 5631
 deny ip any any log     <--- keyword "log" helps in troubleshooting
!
interface Serial 0/0
 ip access-group inbound in
!

 
0
 
LVL 2

Author Comment

by:sqwasi
Comment Utility
Before I try this how would I also permit access with telnet to my cisco router?  Would I add in a permit for telnet? Would I specify the IP of the router?
0
 
LVL 2

Author Comment

by:sqwasi
Comment Utility
Ok, That was exactly what I needed.  Thank you very much.  I was able to open the port to telnet by adding in:

permit tcp any host (public ip of router) eq 23

It is working perfectly.  One more questions though.  If the line "deny ip any any log" is logging denied information where to I view it?  Thank you
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You could certainly add a line to permit telnet

 permit tcp any host aaa.b.ccc.182 eq telnet log  <-- suggest keeping track of who telnets in



0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 7

Expert Comment

by:NicBrey
Comment Utility
To view the logs depends on where you are logging to.

Suggest you use a syslog server and log to that. That way you are not using the routers recources to keep the logs.

Add the line:
router(config)#logging <IP address of syslog server>

and install the syslog server on a windows machine.
http://www.softandco.com/Internet/c/8/a/4260/WinSyslog.html
0
 
LVL 2

Author Comment

by:sqwasi
Comment Utility
One more question.  I need to use MRTG to monitor a router that is external from my network.  I need to open up the SNMP ports.  What lines should I add to open up snmp.  I think it uses udp 161 and 162.  Thank you.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you are monitoring an external router, you might have to open up UDP 161 only:

permit udp host a.b.c.d eq 161 any
 
How about opening up new question threads next time?

0
 
LVL 2

Author Comment

by:sqwasi
Comment Utility
Sorry about that.  I will do that next time.  Thank you.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Glad to help out any way I  can.
No apology needed.
The only people that see your new questions once it has been accepted are the ones that participate in the original. Just in case we're not around, it's in your best interest to open up new Q thread to get more "eyes" on your issues.

Cheers!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now