configuring router ACL's for stealth?

Discussion in 'Cisco' started by joeblow, Jun 29, 2004.

  1. joeblow

    joeblow Guest

    Hi folks,

    been a looong time since I've done much cisco at all, much less ACL's so
    pls be kind....

    got a cisco 4000 router IOS 11.1(5). It has 4 ethernet and two serial
    ports. one of the ethernet ports (e0) has been unused. Until now.

    They want to connect to another (internal) network 192.168.0.0/24 so they
    can scp from the network on e2 (10.10.70.0/24). scp used tcp port 22.
    All connectivity will be initiated from the 10.10.70.0 side.

    I don't want anything from anywhere else behind this router to be visible
    to the 192.168.0.0 network unless a transfer is taking place. No routing,
    no rip, no igrp, no pings, no cdp, no open ports, no nuthin. The only
    thing I want to go from 10.10.70.0 -out- e0 to 192.168.0.0 is ssh/scp
    traffic.

    So the first question is: are ACL's stateful? That is, with the
    following acl:

    ip route 192.168.0.0 255.255.255.0 Ethernet0
    ..
    ..
    ..
    access-list 101 permit tcp any 192.168.0.0 0.0.0.255 eq 22
    access-list 103 permit tcp 192.168.0.0 0.0.0.255 any established
    ..
    ..
    ..
    routera(config)#int e0
    routera(config-if)#ip access-group 101 out
    routera(config-if)#ip access-group 103 in
    ..
    ..
    ..

    Can I ssh out of my side of the router to some host 192.168.0.x, but to
    the outside, my port 22 (or any other port) appears closed.

    Second question: Does the implied deny at the end of each acl mean

    1. that there won't be any traffic (other than ssh) going out of my side
    to the outside -and-

    2. that there can be no traffic from outside to my side, other than a
    previously established ssh connection -and-

    3. from the outside, my router and everything behind it is invisible,
    unless there is an active ssh conn?
     
    joeblow, Jun 29, 2004
    #1
    1. Advertisements

  2. The above ACLs should do what you want but note that this isn't
    "stateful" filtering per the common definition.

    ACL 103 can be made a bit better by doing "permit tcp 192.168.0.0
    0.0.0.255 eq 22 any established". This will ensure that only packets
    sourced by port 22 with the ACK bit set are permitted; i.e., SSH
    return packets. And in ACL 101 you can specify a source of
    10.10.70.0/24 if you'd like.
    I don't know which networks "my side" and "outside" refer to, but I
    suspect all of the above is pretty much true. Note however that if
    I'm on the 192.168 network I have the ability to get TCP packets
    through by setting the source port to 22 and setting the ACK bit.
    This is why true stateful filtering is better than the 'established'
    keyword.

    -Terry
     
    Terry Baranski, Jun 29, 2004
    #2
    1. Advertisements

  3. joeblow

    joeblow Guest

    Thank you for the reply. I apologize for not proofreading a bit more.
    10.70.1.x is 'my side' , and the 192.168.x.x is the 'outside'. (notice I
    didn't say 'the bad guys', hehe).

    So a pix does not do true stateful firewalling then? Why would I do a pix
    rather than an openbsd or an ipf box?

    Thanks again,

    -----------------------------------------------------------------
     
    joeblow, Jun 30, 2004
    #3
  4. joeblow

    Steinar Haug Guest

    [joeblow]

    | So a pix does not do true stateful firewalling then? Why would I do a pix
    | rather than an openbsd or an ipf box?

    A *PIX* does true stateful firewalling. A normal Cisco router ACL does
    not. There's a difference.

    Steinar Haug, Nethelp consulting,
     
    Steinar Haug, Jun 30, 2004
    #4
  5. joeblow

    joeblow Guest

    aggh, sorry, what I meant to ask before was:

    so 'established' does not imply 'stateful'?

    Are pix'es stateful?

    Typing too fast yet again....
    Thanks,

    ------------------------------------------------
     
    joeblow, Jun 30, 2004
    #5
  6. joeblow

    Sam Wilson Guest

    Nope, it means "contains a TCP ACK flag" so "permit blah-blah-blah
    established" means that only the return packets of a TCP connection are
    allowed - a connection cannot be made in that direction.
    Yes, but a Cisco 4000 isn't a PIX. Completely different hardware,
    completely different software. They're both the same colour, though.

    Sam
     
    Sam Wilson, Jun 30, 2004
    #6
  7. joeblow

    Steinar Haug Guest

    [Sam Wilson]

    | > so 'established' does not imply 'stateful'?
    |
    | Nope, it means "contains a TCP ACK flag" so "permit blah-blah-blah
    | established" means that only the return packets of a TCP connection are
    | allowed - a connection cannot be made in that direction.

    Nitpicking: AFAIK it means "contains a TCP ACK *or* TCP RST flag".

    Steinar Haug, Nethelp consulting,
     
    Steinar Haug, Jun 30, 2004
    #7
  8. joeblow

    Sam Wilson Guest

    Nitpick acknowledged - I decided not to be pedantic, but that may have
    been the wrong decision... :)

    Sam
     
    Sam Wilson, Jul 1, 2004
    #8
  9. joeblow

    joeblow Guest

    Thanks for the discussion folks. It's much appreciated.
     
    joeblow, Jul 8, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.