ACL to limit unsolicited inbound traffic on a cable modem network without restricting legitimate web pages and internal users

I administer a small cable modem internet system.  We recently changed to a new provider for our pipe to the internet, more than doubling our capacity.  Since then we have noticed extreme slow downs on web surfing, etc.  When I run IP Accounting on the various interfaces, I see Millions of packets inbound to our end users subnets that are not apparently initiated by web requests from inside the network.  I am trying to figure ou the best way to use ACL to stop these inbound floods at the edge router and hopefully speed up the surfing.

Here is the basic layout:

Multilink Frame Relay on a Cisco 2620 (edge router)
Connected via fast ethernet to a Cisco 2924 switch, single VLAN
Connected via fast ethernet to a Cisco uBR7223 CMTS. (FA0/0)
My end users connect to the CMTS via cable modem.

Here are the basic configs:
Building configuration...

Building configuration...

Current configuration : 2428 bytes
!
! Last configuration change at 16:55:29 CST Wed Dec 21 2005 by netadmin
! NVRAM config last updated at 16:55:31 CST Wed Dec 21 2005 by netadmin
!
version 12.3
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Seneca-rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
enable secret 5 $1$FEfx$2VXSEWnpfd9vY04dIZYMa0
enable password 7 104A591A164601
!
clock timezone CST -6
clock summer-time CDT recurring
aaa new-model
!
!
aaa authentication login userlist local
aaa session-id common
ip subnet-zero
!
!
ip domain name krausonline.com
!
ip cef
ip dhcp-server 70.228.19.36
!
!
!
!
!
!
!
!
!
!
!
username ART privilege 15 password 7 0872401D0A0D17471C5A0F17
username netadmin privilege 15 password 7 141342081F5539
username SBCIS privilege 15 password 7 06150D22455D
!
!
!
!
interface MFR0
 description SBCIS Multi-link
 no ip address
 encapsulation frame-relay IETF
 load-interval 30
 frame-relay lmi-type ansi
!
interface MFR0.1 point-to-point
 ip address 69.219.201.110 255.255.255.252
 frame-relay interface-dlci 287  
!
interface FastEthernet0/0
 ip address 70.228.19.33 255.255.255.240
 ip helper-address 70.228.19.36
 no ip proxy-arp
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Serial0/0
 description SBCIS HCGS927195LB
 no ip address
 encapsulation frame-relay MFR0
 no arp frame-relay
!
interface Serial0/1
 description SBCIS HCGS927196LB
 no ip address
 encapsulation frame-relay MFR0
 no arp frame-relay
!
ip default-gateway 69.219.201.109
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 69.219.201.109
ip route 70.228.19.34 255.255.255.255 FastEthernet0/0
ip route 70.228.19.36 255.255.255.255 FastEthernet0/0
ip route 70.228.48.0 255.255.255.0 70.228.19.34
ip route 70.228.49.0 255.255.255.0 70.228.19.34
!
!
logging history informational
!
!
snmp-server community public RO
!
!
!
banner login ^C
WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly,
activities on this system are monitored, recorded and subject to audit.
Use of this system is expressed consent to such monitoring and recording.
Any unauthorized access or use of this Automated Information System is prohibited,
and could be subject to criminal and civil penalties.
YOU HAVE BEEN WARNED!!!!
^C
!
line con 0
line aux 0
line vty 0 4
 password 7 09481E0A0A5404
!
!
end

CMTS1_Seneca_IL#sh run
Building configuration...

Current configuration : 7564 bytes
!
! Last configuration change at 09:57:11 CST Thu Dec 29 2005 by netadmin
! NVRAM config last updated at 09:57:12 CST Thu Dec 29 2005 by netadmin
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service udp-small-servers max-servers no-limit
service tcp-small-servers max-servers no-limit
!
hostname CMTS1_Seneca_IL
!
boot system flash slot0:ubr7200-ist-mz.121-5.T.bin
logging buffered informational
logging rate-limit console 10 except errors
no logging console
aaa new-model
aaa authentication password-prompt SPEAK_THE_MAGIC_COMMAND_TO_ENTER:
aaa authentication username-prompt GREETINGS_ALL_WHO_MAKE_THEIR_PRESENCE_KNOWN:
aaa authentication login userlist local
enable secret 5 $1$CDLl$vsz8eQqEK4X0nLKXMtgl41
enable password 7 09421E024825
!
username ART privilege 15 password 7 075C2D1F4D1D0B551943081F
username netadmin privilege 15 password 7 070B714F5D580A
username tony password 7 0255080808121D71421F0A0A
cable flap-list insertion-time 90
cable flap-list size 4000
cable flap-list power-adjust threshold 10
cable flap-list aging 1440
cable flap-list miss-threshold 10
cable modem remote-query 15 public
cable modulation-profile 2 request 0 16 0 8 qpsk scrambler 152 no-diff 64 fixed uw16
cable modulation-profile 2 initial 5 34 0 48 qpsk scrambler 152 no-diff 128 fixed uw16
cable modulation-profile 2 station 5 34 0 48 qpsk scrambler 152 no-diff 128 fixed uw16
cable modulation-profile 2 short 4 76 12 8 qpsk scrambler 152 no-diff 72 shortened uw8
cable modulation-profile 2 long 9 232 0 8 qpsk scrambler 152 no-diff 80 shortened uw8
cable modulation-profile 3 request 0 16 0 8 qpsk scrambler 152 no-diff 64 fixed uw16
cable modulation-profile 3 initial 5 34 0 48 qpsk scrambler 152 no-diff 128 fixed uw16
cable modulation-profile 3 station 5 34 0 48 qpsk scrambler 152 no-diff 128 fixed uw16
cable modulation-profile 3 short 7 76 7 8 16qam scrambler 152 no-diff 144 shortened uw16
cable modulation-profile 3 long 10 153 0 8 16qam scrambler 152 no-diff 200 shortened uw16
no cable qos permission create
no cable qos permission update
cable qos permission modems
cable time-server
clock timezone CST -6
clock summer-time CDT recurring
clock calendar-valid
ip subnet-zero
ip cef
no ip finger
ip domain-name krausonline.com
ip name-server 206.141.192.60
ip name-server 206.141.193.55
ip dhcp ping packets 0
ip dhcp relay information option
no ip dhcp relay information check
!
ip dhcp-server 70.228.19.36
!
!
!        
interface FastEthernet0/0
 ip address 70.228.19.34 255.255.255.240
 ip helper-address 70.228.19.36
 no ip proxy-arp
 no ip mroute-cache
 full-duplex
!
interface Serial1/0
 no ip address
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface Serial1/1
 no ip address
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface Serial1/2
 bandwidth 1544
 no ip address
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface Serial1/3
 bandwidth 1544
 no ip address
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface Cable3/0
 ip address 70.228.48.1 255.255.255.0 secondary
 ip address 70.228.49.1 255.255.255.0 secondary
 ip address 10.1.1.1 255.255.255.0
 no ip mroute-cache
 no keepalive
 cable map-advance static
 cable insertion-interval 100
 cable downstream rate-limit token-bucket shaping granularity 8
 cable downstream rate-limit token-bucket shaping max-delay 1024
 cable downstream annex B
 cable downstream modulation 256qam
 cable downstream interleave-depth 32
 cable downstream frequency 117000000
 cable upstream 0 frequency 24000000
 cable upstream 0 power-level 0
 cable upstream 0 power-adjust continue 6
 cable upstream 0 channel-width 3200000
 cable upstream 0 minislot-size 2
 cable upstream 0 modulation-profile 2
 cable upstream 0 rate-limit token-bucket
 no cable upstream 0 shutdown
 cable upstream 1 frequency 24000000
 cable upstream 1 power-level 0
 cable upstream 1 shutdown
 cable upstream 2 frequency 24000000
 cable upstream 2 power-level 0
 cable upstream 2 shutdown
 cable upstream 3 frequency 24000000
 cable upstream 3 power-level 0
 cable upstream 3 shutdown
 cable upstream 4 frequency 24000000
 cable upstream 4 power-level 0
 cable upstream 4 shutdown
 cable upstream 5 frequency 24000000
 cable upstream 5 power-level 0
 cable upstream 5 shutdown
 no cable arp
 cable source-verify dhcp
 cable dhcp-giaddr policy
 cable helper-address 70.228.19.36
 arp timeout 3600
 hold-queue 1024 in
 hold-queue 1024 out
!
ip default-gateway 69.219.201.110
ip classless
ip route 0.0.0.0 0.0.0.0 69.219.201.110
ip route 69.219.201.110 255.255.255.255 70.228.19.33
ip route 70.228.19.36 255.255.255.255 FastEthernet0/0
no ip http server
!
!
map-class frame-relay hdlc
logging history debugging
logging trap errors
access-list 101 deny   udp any 10.0.0.0 0.255.255.255 eq snmp
access-list 101 deny   tcp any 10.0.0.0 0.255.255.255 eq www
access-list 101 deny   tcp any 10.0.0.0 0.255.255.255 eq telnet
access-list 101 deny   udp any 70.0.0.0 0.254.255.255 eq snmp
access-list 101 deny   tcp any 70.0.0.0 0.254.255.255 eq www
access-list 101 deny   ip any 224.0.0.0 15.255.255.255
access-list 101 deny   ip any 192.168.0.0 0.0.255.255
access-list 101 deny   ip any 169.254.0.0 0.0.0.255
access-list 101 deny   tcp any any range 135 139
access-list 101 deny   udp any any range 135 netbios-ss
access-list 101 deny   tcp any any eq 445
access-list 101 permit ip any any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 169.254.0.0 0.0.255.255 any
access-list 105 deny   tcp any any range 135 139
access-list 105 deny   udp any any range 135 netbios-ss
access-list 105 deny   tcp any any eq 445
access-list 105 permit ip any any
snmp-server engineID local 00000009020000308093A700
snmp-server community public RW
snmp-server enable traps casa
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps cable
snmp-server manager
tftp-server flash:staff.cm alias staff.cm
banner login ^C

WARNING: To protect the system from unauthorized use and to ensure that the
system is functioning properly, activities on this system are monitored and
recorded and subject to audit. Use of this system is expressed consent to such
monitoring and recording. Any unauthorized access or use of this Automated
Information System is prohibited and could be subject to criminal and civil
penalties.

^C
alias exec snr sh contr | in SNR
alias exec summ sh cable modem summary
alias exec unreg sh cable modem unregistered
alias exec flap sh cable flap
privilege exec level 2 send
privilege exec level 2 send  
privilege exec level 1 sh cable modem  
privilege exec level 1 sh cable modem detail  
privilege exec level 1 sh cable flap-list  
privilege exec level 1 sh contr | in SNR  
privilege exec level 1 clear cable modem 0000.0000.0000 reset  
privilege exec level 1 clear cable host  
privilege exec level 1 sh int ca3/0 modem 0  
privilege exec level 1 sh int ca4/0 modem 0  
privilege exec level 1 sh int ca5/0 modem 0  
privilege exec level 1 sh int ca6/0 modem 0  
privilege exec level 1 sh cable modem remote  
!
line con 0
 exec-timeout 1 0
 transport input none
line aux 0
line vty 0 4
 session-timeout 10  output
 timeout login response 60
 password 7 05055604706C
 full-help
 transport preferred telnet
!
ntp clock-period 17180296
ntp update-calendar
ntp server 207.46.226.34
end

As you can see on the CMTS config, I have access-list 101 and 105 built.  But whenever I apply them, for some reason, many of my users can no longer access various web sites.  They were applied to the cable 3/0 interface as 101-in and 105-out.

I also have a basic config on the router of access-list 109 but I do not know why.  I copied it from another system that I manage that does not seem to have these problems - but it is not a multi-link FrameRelay.

Any help here?  Am I way off base?  Should I just go back to wood - working and leave this stuff to someone smarter than me?  HELP!!!!!!

Wyant
Wyant NiswongerPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wyant NiswongerPresidentAuthor Commented:
I just read it again and the access - list on the edge router is not applied right now, but here it is:

access-list 109 deny   tcp any any eq www
access-list 109 permit ip any any
access-list 109 permit tcp any any

Applied as
interface MFR0
 description SBCIS Multi-link
 no ip address
 ip access-group 109 in
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
interface Serial0/0
 description SBC HCGS
 no ip address
 ip access-group 109 in
 encapsulation frame-relay MFR0
 no arp frame-relay
!
interface Serial0/1
 description SBC HGCS
 no ip address
 ip access-group 109 in
 encapsulation frame-relay MFR0
 no arp frame-relay
rsivanandanCommented:
Hi Kb9ybk,

  I took a quick look at the configuration, it seems that you are not hosting any kind of web servers;

and ALL YOU NEED IS TO ALLOW CONNECTIONS FROM INTERNAL NETWORK TO EXTERNAL NETWORK. If that is correct, you don't need all those acces-lists.

All you need is a single access-list which tell the router to allow ONLY INBOUND CONNECTION IF IT IS ORIGINALLY STARTED FROM YOUR NETWORK.

As simple as this;

access-list permit ip any any established

and apply it to the interface where the internet is connected.

The word 'established' tells the router to not allow any NEW inbound connections, Only those connections are allowed which originated from internal network ==> Which means;

If somebody outside try to reach your network, it won't be allowed. If sombody inside your network initiates a connection, it will go out and come back.

Lastly, remove the ip accounting because the router will start crawling then (Very CPU/Memory utilization).

One another thing, when you post a configuration to forums, please post a sanitized configuration (no passwords, remove the last 2 octets of Public IP Address etc.) Why I'm telling you this is, the password you have above can be cracked in less than 1 second.

Cheers,
Rajesh
rsivanandanCommented:
Forgot the number/name in the access-list.

access-list <Number> permit ip any any established.

Cheers,
Rajesh
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Wyant NiswongerPresidentAuthor Commented:
Rajesh:

Thanks for the reply and the tip about the password / octet.  I will change the passwords today.  But I do host / allow a couple of commercial customers to have web sites and 2 mail servers on the network.  How would that change things?

Also, should I apply the access - list that you describe to the edge router on the MFR0 interface and not have anything on the CMTS?

Thanks!  Happy New Year!

Wyant
rsivanandanCommented:
>>Also, should I apply the access - list that you describe to the edge router on the MFR0 interface and not have anything on the CMTS?

  Yes I would apply it at the edge router, the reason being I don't want anything inside my network other than what I want.

>>WebServers & Email Servers

  No Problem, Just put them as below;

access-list <Number> permit tcp any host <IP of the WebServer> eq www
access-list <Number> permit tcp any host <IP of the SMTPServer> eq smtp
access-list <Number> permit ip any any established.

The above access-lists allow the browsing and mailing capabilities for External World. Now if you also want to allow PING requests to be successful to your Web & SMTP Servers, add these too;

access-list <Number> permit icmp any host <IP of the Server to which you want Ping from Internet> echo
access-list <Number> permit icmp any host <IP of the Server to which you want Ping from Internet> echo-reply

Hope this helps.

Also try to check the link for access-list examples as below; You need to have a CCO account (If you don't have one, just create a guest account);

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1_a1g.htm#wp1078593

Cheers,
Rajesh
Wyant NiswongerPresidentAuthor Commented:
Rajesh:

Forgot about 1 thing:

I need to be able to access the CMTS and the DHCP server that are behind the edge router also.

THANKS!!! I really appreciate it
rsivanandanCommented:
Okay, it is a bit difficult to understand the requirement now;

Is this network like this?
                                                                         
Multilink Frame Relay on a Cisco 2620 (edge router)|---Connected via fast ethernet to a Cisco 2924 switch, single VLAN
|                                                                          |
|                                                                          |---Connected via fast ethernet to a Cisco uBR7223 CMTS. (FA0/0)
Internet
|
|---- My end users connect to the CMTS via cable modem.

Why do they need to access DHCP Server ? Where is the DHCP Server Located and what is present at  Cisco uBR7223 CMTS ?


Let me know,the understanding is not clear.

Cheers,
Rajesh
Wyant NiswongerPresidentAuthor Commented:
Rajesh:

Thank you for your patience!  I think you actually answered it on your earlier post.

You have the setup correct.  I and a couple of other users need to access the DHCP server to administer it from outside the local network.  I don't have a terminal server router (a 25xx or similar) installed.  We have to provision the cable modems, disable modems for non - pay, etc and that is done on the DHCP server (actually CISCO CNR v5.5).  Also because we are so small I don't have anything like OpenView or CiscoView to manage the system.  We Telnet to the CMTS to run commands to check the cable modem health etc.

If I apply your ACL (I do have a CCO - limited access account, I just wasn't sure where to look) to the MFR0.1 interface on the edge router, with the statements as listed, plus a statement that says
access-list <Number> permit tcp any host <IP of the CMTS> eq telnet
access-list <Number> permit tcp any host <IP of the CNR> eq PORT NUMBER NEEDED for CNR Administrator to run

I should be okay?

If I haven't said it, I REALLY REALLY APPRECIATE THIS!  I may have one less person screaming at me.

Wyant
rsivanandanCommented:
Wyant,

  Hey cool, if you add those that is fine. At this point, I presume that the DHCP Server is running on the router (CMTS).

>>access-list <Number> permit tcp any host <IP of the CNR> eq PORT NUMBER NEEDED for CNR Administrator to run

  Make sure that Cisco Network Registrar requires only *tcp* to work with. I don't have hands-on exp. on this one.

 Okay, now on the implementation part. When you do this, do it onsite so that you can revert back if something is not working as you expected. Choose a different number for access-list (You can avoid confusions this way :-))

 Happy Networking.

Cheers,
Rajesh

 


rsivanandanCommented:
And for sure turn off 'ip accounting' if you have turned it on only for testing purposes, it eats a lots and lots of resources.

Now if you really want to do the Networking Logging, there are other ways I believe.

Cheers,
Rajesh
Wyant NiswongerPresidentAuthor Commented:
Rajesh:

So if I apply something like:

!to allow my server to be accessed from the internet
access-list 110 permit tcp any host 70.228.x.x eq any
access-list 110 permit icmp any host 70.228.x.x echo
access-list 110 permit icmp any host 70.228.x.x echo-reply
!to allow the cmts to be managed from the internet
access-list 110 permit tcp any host 70.228.y.y eq telnet
!since I'm not sure which ports need to be accessed from the internet, I set this up
access-list 110 permit tcp any host 70.228.y.z eq any
access-list 110 permit ip any any established

to MFR0.1 on the edge router, I should be ok?

Thanks!

Wyant
P.S. Notice that I "sanitized" part of this one? :>
rsivanandanCommented:
>>access-list 110 permit tcp any host 70.228.x.x eq any

  Assuming that this is your webserver and SMTP server, you can have go stringent as I said above;

access-list 110 permit tcp any host 70.228.x.x eq www (Only web traffic)
access-list 110 permit tcp any host 70.228.x.x eq SMTP (Only SMTP traffic)

  Or else if you want to allow everything to it;

access-list 110 permit tcp any host 70.228.x.x  should do fine (remove 'eq any') , it does need to be there (Implied).

Good that you are getting 'Sanitization' Process :-)

Cheers,
Rajesh

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Wyant NiswongerPresidentAuthor Commented:
Rajesh:

Outstanding!  Thank you for all your help.

Wyant
rsivanandanCommented:
Perfect. Glad that you got it working.

Please do browse through that link to find out all the options of access-lists. Like for example, you can have 'eq smtp' for known protocols and what if there is a custom protocol ? Just use 'eq <Port Number> and there you go :-)

It is fun.

Cheers,
Rajesh
Wyant NiswongerPresidentAuthor Commented:
OK, problem.  I just added it to the router (not active yet) and got this...

Seneca-rtr(config)#access-list 110 permit ip any any established              
                                                                           ^
% Invalid input detected at '^' marker.

Any ideas?

Wyant
rsivanandanCommented:
Wyant,

  It should be acces-list 110 permit tcp any any established. Looked above on what I gave, typo. My mistake :-( Sorry about that.

  The reason is that only tcp connections have established states.

Cheers,
Rajesh
Wyant NiswongerPresidentAuthor Commented:
Ok, when I apply it the interface mfr0.1 on the edge router,I lose all connectivity to the internet.  I used the command
int mfr0.1
ip access-group 110 in

Should I put it on the serial interfaces instead?

Wyant
rsivanandanCommented:
You need to apply it onto the interface which *connects* to internet. Looking at the above configs, I don't know which one.

Cheers,
Rajesh
Wyant NiswongerPresidentAuthor Commented:
The mfr0.1 is a virtual interface, but it is the one with the IP address.  The 2 serial interfaces become a part of the frame relay multi-link bundle.  Let me try putting it on the serial interface.

Wyant
Wyant NiswongerPresidentAuthor Commented:
Just applied it to the serial interfaces and all seems to be working.  

Thanks!  let's see if it speeds anything up....

Wyant
rsivanandanCommented:
Ok. Just make sure that all the exceptions in the access-lists are allowed from the outside world. Like if you can reach all of them.

You can also see the hits on the access-list.

Cheers,
Rajesh
Wyant NiswongerPresidentAuthor Commented:
I can access several of them from the outside.  But also seems that I can ping other items in one of the subnets without any difficulties... (The IP subnet that the FA0/0 interfaces are on....)hmm...
we'll see what happens.  

Wyant

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.