Cisco 837 - WAN interface access-list

Discussion in 'Cisco' started by Mirko, Jul 23, 2004.

  1. Mirko

    Mirko Guest

    I activated the following access-list on the WAN interface of my router
    (Dialer1, PPPoA-type connection)

    The private network behind the router is NATted using a canonical

    "ip nat inside source list 100 interface Dialer1 overload", where ACL 100
    permits all hosts on the private network.

    My problem is, if I execute a PORT SCAN from outside this network (Internet)
    towards the static public IP of the router I get a long list of UDP ports
    which are in state "closed" (but not _stealth_, which is the result I
    desired to obtain).

    Port list includes Windows ports, UNIX services ports (which are not present
    on that network anyway), possible router services ports (tftp) etc.

    Why those ports are not in state "stealth" since I'm dropping most of the
    inbound packets?

    Checking the list I found and tried to remove the line

    "access-list 180 permit udp any host <public_ip_address> gt 1023",

    but all I could get was _all_ clients on the private networks suddenly lost
    access to Internet, so I had to restore it.

    Has anybody any clue on what I should do to better protect my WAN interface
    _and_ letting my clients connected via NAT to the Internet?

    Thanks in advance for your help,


    Mirko


    WAN interface ACL
    ---------------- >8 ---------------------- >8 --------------

    access-list 180 remark Anti-spoofing rules
    access-list 180 deny ip 0.0.0.0 0.255.255.255 any
    access-list 180 deny ip 10.0.0.0 0.255.255.255 any
    access-list 180 deny ip 127.0.0.0 0.255.255.255 any
    access-list 180 deny ip 172.16.0.0 0.15.255.255 any
    access-list 180 deny ip 192.168.0.0 0.0.255.255 any
    access-list 180 deny ip 224.0.0.0 31.255.255.255 any
    access-list 180 deny ip 192.0.2.0 0.0.0.255 any
    access-list 180 deny ip 169.254.0.0 0.0.255.255 any

    access-list 180 remark ICMP Management
    access-list 180 permit icmp any host <public_ip_address> echo-reply
    access-list 180 permit icmp any host <public_ip_address> unreachable
    access-list 180 permit icmp any host <public_ip_address> time-exceeded

    access-list 180 remark SSH Management
    access-list 180 permit tcp any host <public_ip_address> eq 22

    access-list 180 remark We accept replies to requests first generated
    internally
    access-list 180 permit tcp any host <public_ip_address> gt 1023 established
    access-list 180 permit udp any host <public_ip_address> gt 1023

    access-list 180 remark Active FTP
    access-list 180 permit tcp any eq ftp-data host <public_ip_address> gt 1023

    access-list 180 remark Blocks all other IP traffic (WAN -> LAN)
    access-list 180 deny ip any any

    --------------- >8 ---------------------- >8 --------------
     
    Mirko, Jul 23, 2004
    #1
    1. Advertising

  2. Mirko

    Bob Goddard Guest

    Mirko wrote:

    > I activated the following access-list on the WAN interface of my
    > router (Dialer1, PPPoA-type connection)
    >
    > The private network behind the router is NATted using a canonical
    >
    > "ip nat inside source list 100 interface Dialer1 overload", where ACL
    > 100 permits all hosts on the private network.
    >
    > My problem is, if I execute a PORT SCAN from outside this network
    > (Internet) towards the static public IP of the router I get a long
    > list of UDP ports which are in state "closed" (but not _stealth_,
    > which is the result I desired to obtain).


    On your WAN interface put,
    "no ip unreachables"


    B
     
    Bob Goddard, Jul 23, 2004
    #2
    1. Advertising

  3. Mirko

    Mirko Guest

    Following your advice I applied this command and... voilĂ ! all UDP scanning
    flaws were obliterated from my router.

    Thanks for your quick help Bob! Right now I'm in the process of reading "NSA
    router security configuration guide 1.1b" and " Phrack Magazine -Building
    Bastion Routers Using Cisco IOS", where this and many other useful commands
    to protect a Cisco router are explained. I hope to come out with a more
    intelligent question next time! ;)

    Mirko

    "Bob Goddard" <> ha scritto nel
    messaggio news:...

    > > My problem is, if I execute a PORT SCAN from outside this network
    > > (Internet) towards the static public IP of the router I get a long
    > > list of UDP ports which are in state "closed" (but not _stealth_,
    > > which is the result I desired to obtain).

    >
    > On your WAN interface put,
    > "no ip unreachables"
    >
    >
    > B
     
    Mirko, Jul 23, 2004
    #3
  4. Mirko

    Peter Guest

    Mirko wrote:
    > Following your advice I applied this command and... voilĂ ! all UDP scanning
    > flaws were obliterated from my router.


    You also wish to investigate -
    no ip redirects
    no ip proxy-arp
    These may also be able to help eliminate potential issues when
    interfacing to an untrusted environment.

    Cheers...........pk.


    --
    *** Replace SOMEONE with prk ***
     
    Peter, Jul 24, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,744
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,639
  3. Yehavi Bourvine
    Replies:
    1
    Views:
    1,105
    Hansang Bae
    Aug 26, 2004
  4. Bob Connor

    Cisco 837 - WAN link dropping

    Bob Connor, Oct 30, 2004, in forum: Cisco
    Replies:
    3
    Views:
    6,297
    Bob Connor
    Nov 6, 2004
  5. Replies:
    4
    Views:
    4,179
Loading...

Share This Page