?
Solved

Cisco Internet Router ACLs

Posted on 2005-04-14
4
Medium Priority
?
1,010 Views
Last Modified: 2008-02-01
I have an Internet Router (Cisco 3800) that connects our ISP to our firewalls.  Our firewalls handle all of our policy enforcement.  So our router should pass ALL traffic to the firewall.  So I don't need many ACLs on the Internet Router.

My only concern for ACLs on the Internet Router are to protect the router itself.  For example on the internal interface we have ACLs that look like...

access-list 100 remark Inbound ACL on FastEthernet 1/0 (Firewall Network)
access-list 100 permit tcp host 192.168.1.100 host 10.1.1.1 eq 22
access-list 100 permit tcp host 192.168.1.100 host 10.1.1.1 eq 443
access-list 100 permit tcp host 192.168.1.100 host 10.1.1.1 eq cmd
access-list 100 permit udp host 192.168.1.100 host 10.1.1.1 eq snmp
access-list 100 deny   tcp any host 10.1.1.1 eq telnet
access-list 100 deny   tcp any host 10.1.1.1 eq 22
access-list 100 deny   tcp any host 10.1.1.1 eq www
access-list 100 deny   tcp any host 10.1.1.1 eq 443
access-list 100 deny   tcp any host 10.1.1.1 eq cmd
access-list 100 deny   udp any host 10.1.1.1 eq snmp
access-list 100 permit ip any any

That was auto-created by Cisco Router and Security Device Manager (SDM).  It allows my management IP to hit the router internal interface on ports 22, 443, cmd, snmp.  It then denies anybody else from hitting the interesting ports.

My question is, are those denies enough? Or should we deny tcp any host 10.1.1.1 any port?

Also what should we apply on the external interface?

Thanks
Shane
0
Comment
Question by:shanepresley
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13781932
If you run the SDM Wizard to "lock down" the router, it should generate all the access-lists and everything needed to meet "best practices".
0
 
LVL 1

Author Comment

by:shanepresley
ID: 13782700
lrmoore, the lock down wizard created the ACL above.  I found it odd that the wizard did not create a more encompassing deny rule.  They deny SSH, SNMP, etc, but I would imagine a better way is to allow ICMP, and deny everything else?

Also, the wizard did not create any ACLs for our external facing interface.  And it doesnt complain about that.  Shouldn't we have one there?

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13782854
The thing about acls, and one of my pet peeves with the lockdown wizard, and with all the published "best practices", is that if you have a single "permit" then EVERYTHING else is denied by default.

In your case, on the external facing interface:

  access-list 111 permit ip any host <public ip of firewall1>
  access-list 111 permit ip any host <public ip of firewall2>
  access-list 111 permit tcp host <my home ip> host <Wan interface IP> eq 22  <== let me in from home if I need to

Interface <wan>
  ip access-group 111 in

With that simple acl, assuming that the firewall(s) use PAT and not a NAT pool, that's all you need.
Nobody can telnet to/access/ssh or anything to the external IP address of the router itself.

As long as you have an access-class assigned to your line vty, that is additional protection for telnet access to the router.

These guides are the basis for most of the lockdown tool and other white papers out there:
http://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1

0
 
LVL 1

Author Comment

by:shanepresley
ID: 13783620
Thanks lrmoore, that was an excellent link from nsa.  And your explanation of an ACL for the outside interface helped.

Your external ACL only permits me from home.  Wouldn't I also need to allow public (from ANY) ping/traceroute to my router.  Or should that generally be shut off as well?  I notice most ISP routers allow it?  But I suppose I could deny it.

Regarding my internal ACL that the wizard generated.  It seems I would be better off changing it to simply deny everything to the router IP.  The wizard generated one just denies SSH, SNMP, etc, then says permit ip any any.  Something like....

access-list 100 remark Inbound ACL on FastEthernet 1/0 (Firewall Network)
access-list 100 permit tcp host 192.168.1.100 host 10.1.1.1 eq 22
.....all my permits go here for my admins....
access-list 100 deny   tcp any host 10.1.1.1 any
access-list 100 permit ip any any
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 5 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question