Help review Cisco ACL

We have about 30 small branch offices (ie the spoke) that are connected back to the data centre (ie the hub),
each via leased line.

There are 2 services that we would like to restrict to each of the branches (ie don't want the Tcp port accessible
elsewhere in the corporate & not accessible between the branches) & the services listens on Tcp 8000 & 8222.

Q1:
If I want to apply ACLs on each branch's WAN router to block the 2 TCP ports from being reachable, should the
ACL be applied on the WAN router's LAN interface (ie facing the branch's LAN) or the router's serial interface
(facing the leased line towards the datacentre)?

Q2:
Can correct/review my suggested extended ACL below?  Assuming a.b.c.d is the IP address of the  branch's
1st server listening on Tcp8000 & e.f.g.h is the IP of the 2nd server listening on Tcp8222

Assuming it's applied on the LAN/ethernet interface of the router, I think (but do correct me), it looks like:
interface Ethernet0
ip access-group 102  in   [or should it be  'out' ?]
access-list 102 deny tcp any any eq 8000 log
access-list 102 deny tcp any any eq 8222 log
access-list 102 permit ip any any

What if it's applied on the serial interface, how does the ACL looks like?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
You are targeting destination ports 8000 and 8222
interface Ethernet0

ip access-group 102  in
!
access-list 102 deny tcp any any eq 8000 log
access-list 102 deny tcp any any eq 8222 log
access-list 102 permit ip any any
IN direction should in the case that traffic is coming from any host trying to connect to specified ports 8000 and 8222 (when someone from outside of location is trying to connect to location and accessing to port 8000 or port 8222)

OUT direction should in the case that traffic is coming from any host trying on branch location - trying to connect outside branch location to specified ports 8000 and 8222 (when someone inside location is trying to connect to some other location and accessing to port 8000 or port 8222)

So, IN direction is more than good enough, but it could be applied in both directions if you want.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks Justin.

Which is a better practice, apply an ACL on the serial interface or the Ethernet interface?
0
sunhuxAuthor Commented:
Last question:
Does TACACS+ enable us to centrally push these ACLs to the 30 x2  routers (each branch has
2 routers on HSRP  with one router as primary for one HSRP group & the other router as
primary for another HSRP group) or we have to login to the 60 routers one by one to paste
them in
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

JustInCaseCommented:
I don't know about any recommendation regarding interface type, so I assume it does not really matter.

TACACS+ is typically validating does current user is authorized to issue command on device, so if user have minimum privileges for operation TACACS+ will not argue. I never pushed commands from TACACS+ to devices, I am not sure if that is possible to do it via TACACS+.
You can create bash/pyton/perl/<anyOther>... script to log to each device automatically and apply commands if you want automate process.
1
Don JohnstonInstructorCommented:
Justin's comment is spot on.

One of the things that I've always taught is that the sooner you can discard traffic, the better.  By checking inbound, the traffic is discarded before the routing table lookup (and a few other checks).

Back in the day, this was a significant point because fast switching was just coming out (yeah, I'm that old).  Now days, it may not be as significant, but it doesn't hurt.
1
Mlenis11Commented:
I would block the traffic at the Serial Interface.  Sounds like that could be your WAN.  Direction would be IN clearly.  As for the deployment onto the branch routers....Do you have Cisco Prime?  What model Routers do you have?
0
sunhuxAuthor Commented:
https://supportforums.cisco.com/t5/security-management/need-acl-manager-access-control-list-manager-is-eol/td-p/2625070
The link above seems to say CSM is not meant to manage ACLs or I read it wrongly?

The routers are 29xx (mostly 2911K9).

Anyone care to share Perl/Python scripts that could "push down or update"
ACLs into the multiple routers?   Or does Cisco Prime do this?


Btw, what's the advantage of placing the ACL at the serial vs at the ethernet interface?
0
Don JohnstonInstructorCommented:
I can't help you with CSM as I've never used it.

As for applying the ACL on the serial vs. the ethernet interface, there is no difference between the two.  It's WHERE the interfaces are.  

So if the traffic you are wanting to block is originating from within your network, then it would be best to block it on the local interface (in your case, the ethernet interface).  If the traffic is originating from outside your network, then you would want to block it as it is entering the outside (serial) interface.

Once again, it doesn't matter if the interface is Ethernet, Serial, Token Ring, FDDI, etc.  What matters is where the interface is relative to the traffic you're looking at.
1
sunhuxAuthor Commented:
>traffic you are wanting to block is originating from within your network
So my LAN (ie the adjacent interface) is where the DB services are running desktops
ie where the ports are listening while the clients that I want to block are coming in
via the WAN/serial, so the originating traffic is from the LAN or WAN?  
In this case, I wanted to block traffic coming from WAN to the LAN, the ACL should
be on the Ethernet0 ?
0
Don JohnstonInstructorCommented:
so the originating traffic is from the LAN or WAN?  

From your description, it's hard to tell.

Where is the device which sends the initial request?  Put another way, it's using TCP, so where is the device that issues the TCP SYN segment?
0
sunhuxAuthor Commented:
In the numerous branch offices, a couple of the PCs are listening on a certain DB2 services,
so the device(s) issuing TCP SYN is outside of the branches
0
Don JohnstonInstructorCommented:
Then put the ACL on the interface closest to "outside of the branches" as in inbound ACL.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.