Solved

Need to limit traffic going over VPN tunnel on router. Specific Crypto ACL?

Posted on 2010-09-24
2
409 Views
Last Modified: 2012-05-10
Hello,

I have a Cisco 2811 ISR router that I am going to be connecting to a Cisco 5520 ASA. I need to only allow http and SSL traffic going across the tunnel in both directions. Would just specifying an extended crypto ACL covering http or SSL do the trick or do I need to create and inbound extended access list? I have two other tunnels connecting to this router and it is also connected to a firewall and sending traffic to the internet.

Would this access-list work to allow on the specific traffic from the network in question and all traffic from the other locations?

ip access-list outside
permit tcp 192.168.2.0 255.255.255.0 eq http 192.168.1.0 255.255.255.0
permit tcp 192.168.2.0 255.255.255.0 eq ssl 192.168.1.0 255.255.255.0
permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

interface int fa0/0
ip access-group outside in
0
Comment
Question by:greenbeanx81
  • 2
2 Comments
 
LVL 11

Expert Comment

by:diprajbasu
ID: 33759369
the command syntax are:----
*********************
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
  {deny | permit} protocol source source-wildcard destination
    destination-wildcard
  [precedence precedence] [tos tos] [log | log-input]
    [time-range time-range-name][fragments]


**************************************
0
 
LVL 11

Accepted Solution

by:
diprajbasu earned 500 total points
ID: 33759385
example:-
By default, there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly permitted is denied.
********************************************
hostname R1
!
interface ethernet0
ip access-group 1 in
!
access-list 1 permit host 192.168.10.1


*********************example****************


hostname R1
!
interface ethernet0
ip access-group 1 in
!
access-list 1 deny host 192.168.10.1
access-list 1 permit any
**************************example********************


hostname R1
!
interface ethernet0
ip access-group 101 in
!
access-list 101 permit ip 192.168.10.0  0.0.0.255
  192.168.200.0  0.0.0.255

************************************************




hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 deny tcp any any eq 23
access-list 102 permit ip any any



******************************example***************


hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any any gt 1023 established


****************************example*******************



hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 permit ip any any

************************example***************

hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any host 192.168.1.100 eq ftp
access-list 102 permit tcp any host 192.168.1.100 eq ftp-data established
!
interface ethernet1
 ip access-group 110 in
!
access-list 110 permit host 192.168.1.100 eq ftp any established
access-list 110 permit host 192.168.1.100 eq ftp-data any


*************************example**************

hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any host 192.168.1.100 eq ftp
access-list 102 permit tcp any host 192.168.1.100 gt 1024
!
interface ethernet1
 ip access-group 110 in
!
access-list 110 permit host 192.168.1.100 eq ftp any established
access-list 110 permit host 192.168.1.100 gt 1024 any established

***********************example****************


This configuration permits TCP traffic with destination port values that match WWW (port 80), Telnet (port 23), SMTP (port 25), POP3 (port 110), FTP (port 21), or FTP data (port 20). Notice an implicit deny all clause at the end of an ACL denies all other traffic, which does not match the permit clauses.


hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any any eq 20

**************************example*******************
This configuration permits TCP traffic with destination port value 53. The implicit deny all clause at the end of an ACL denies all other traffic, which does not match the permit clauses.


hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any

**************example*****************

When you apply an in-bound ACL on to an interface, ensure that routing updates are not filtered out. Use the relevant ACL from this list to permit routing protocol packets:

Issue this command to permit Routing Information Protocol (RIP):

access-list 102 permit udp any any eq rip
Issue this command to permit Interior Gateway Routing Protocol (IGRP):

access-list 102 permit igrp any any
Issue this command to permit Enhanced IGRP (EIGRP):

access-list 102 permit eigrp any any
Issue this command to permit Open Shortest Path First (OSPF):

access-list 102 permit ospf any any
Issue this command to permit Border Gateway Protocol (BGP):

access-list 102 permit tcp any any eq 179
access-list 102 permit tcp any eq 179 any
Debug Traffic Based on ACL

The use of debug commands requires the allocation of system resources like memory and processing power and in extreme situations can cause a heavily-loaded system to stall. Use debug commands with care. Use an ACL in order to selectively define the traffic that needs to be examined to reduce the impact of thedebug command. Such a configuration does not filter any packets.

This configuration turns on the debug ip packet command only for packets between the hosts 10.1.1.1 and 172.16.1.1.

R1(config)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1
   R1(config)#access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1
   R1(config)#end
   R1#debug ip packet 199 detail
   IP packet debugging is on (detailed) for access list 199
Refer to Important Information on Debug Commands for additional information on the impact of debug commands.

Refer to the Use the Debug Command section of Understanding the Ping and Traceroute Commands for additional information on the use of ACLs with debug commands.

MAC Address Filtering

You can filter frames with a particular MAC-layer station source or destination address. Any number of addresses can be configured into the system without a performance penalty. In order to filter by MAC-layer address, use this command in global configuration mode:

Router#config terminal
       bridge irb
       bridge 1 protocol ieee
       bridge 1 route ip
Apply the bridge protocol to an interface that you need to filter traffic along with the access list created:

Router#int fa0/0
       no ip address
       bridge-group 1 {input-address-list 700 | output-address-list 700}
       exit
Create a Bridged Virtual Interface and apply the IP address that is assigned to the Ethernet interface:

Router#int bvi1
       ip address
       exit
                                          !
                                          !
       access-list 700 deny <mac address> 0000.0000.0000
       access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
With this configuration, the router only allows the mac addresses configured on the access-list 700. With the access list, deny the MAC adddress that can not have access and then permit the rest.

Note: Create every line of access list for each MAC address.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now