outside source deny all but few ports

[lebisol]

Hello everyone.
I need little help with ACLs....not a cisco guru so don't laugh at my request.
So far I have natted out the paths I need I am just looking to lock down all the 'unused ports' including pings and echos and any reponse other than 2 ports used.

...
ip nat inside source static tcp 192.168.1.15 443 my.wan.ip.here 443 extendable
ip nat inside source static tcp 192.168.1.15 25 my.wan.ip.here 25 extendable
ip nat outside source static 192.168.1.15 my.wan.ip.here extendable
...

I am using 'outside source' since WAN IP is one of my secondary IPs and want the server to reflect it vs. gefault gateway.
Looking to lock down everything and allow ONLY SSL and SMTP as you can tell.
Many thanks for your time!

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[burtsbees]

access-list 111 permit tcp any host 192.168.1.15 eq 443
access-list 111 permit tcp any host 192.168.1.15 eq 25
access-list 111 deny tcp any host 192.168.1.15 established
Then apply it in the inbound direction to all WAN interfaces.

Burt

 

[lebisol]

Hi burtsbees,
Thanks for the quick help.
Just curious about:
access-list 111 deny tcp any host 192.168.1.15 established

Would this also block Outbound for other traffic for other nodes 192.168.1.x behind the router?
every other node (read not outside source natted) goes out through default WAN IP/gatewatay my.defaultgateway.ip.here

Thanks again and sorry for the paranoia
All the best!

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[lebisol]

This stopped all the traffic inbound/outbound on other lan IPs.
It looks like I may have to deny ports manually....
Thanks again!

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[burtsbees]

Sorry---I misunderstood, and still am not 100%---I will give it a whack tomorrow since I am brain dead right about now. Sorry, bro.

Burt

 

[lebisol]

No worries Burt, that makes two of us.
In case you need a better idea I am essentially trying to have my server 'go out to public' on my secondary IP
of xxx.xxx.xxx.200 and Only show two ports active 25 and 443 while the rest of the nodes will continue to be seen throuhg xxx.xxx.xxx.194 default gateway IP.

Here are the significant config parts.

---SNIP-----

interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.1.2 255.255.255.0

---SNIP-----

interface FastEthernet0/1
 description WAN Interface
 ip address xxx.xxx.xxx.200 255.255.255.240 secondary
 ip address xxx.xxx.xxx.194 255.255.255.240

---SNIP-----

ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.15 443 xxx.xxx.xxx.200 443 extendable
ip nat inside source static tcp 192.168.1.15 25 xxx.xxx.xxx.200 25 extendable
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq 443
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq smtp
access-list 101 deny tcp any host 192.168.1.15 established

Since using 'deny established' did not work (could be me) my alternative was to deny all ports I could scan as active on the machine. This sort of rubs me the wrong way especially since I have no way of knowing when 'new ports' get opened in case of compromise of machine. Not to mention 50-60 lines of deny statements.
In any case, if it hits you do share.
Thanks again for the efforts!
All the best!

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[burtsbees]

The keyword "established" does what the acl says to when the TCP connection is already established, but the first 2 entries should be matched when an outside host is trying to ssl in...perhaps take out the keyword "established"?
router#sh access-list
Then it will list acl 101, line by line. It should be line 30, so...
router#conf t
router(config)#ip access-list extended 101
router(config-ext-nacl)#no 30
router(config-ext-nacl)#30 deny tcp (or ip) any 192.168.1.15
If you get rid of the line and not add a new deny statement, it will deny everything else anyway, so this may also be an option---with the "deny tcp", you won't have to scan ports and deny all the ones that are open---it already will with the exception of a match with the first two statements, including any that get opened without your knowledge. Like I say, I am brain dead, and I will try to understand the whole secondary IP address thing you are utilizing tomorrow.

Burt

 

[lebisol]

Thanks,
Secondary IP is to be used for Reverse DNS Lookup on mail server (port 25) so when email headers are examined they matched the sending(secondary) public IP....while at the same time blocking all other ports.
still not blocking ports though...if I run nmap I get a full loundry list of ports.
using new static route:

ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.15 xxx.xxx.xxx.200 extendable

!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq 443
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq smtp
access-list 101 deny tcp any host 192.168.1.15

I have used the same to edit list 100 thiking it would make difference.
Using:

ip nat inside source static 192.168.1.15 xxx.xxx.xxx.200 extendable

defintely does the trick of secondary IP goal...now just the blocking is an issue.
Thanks again for re-frying along with me. ;-)
All the best!


:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[burtsbees]

So, it is NOT blocking what you want, or it IS blocking? I will read more into it tomorrow, perhaps something to do with the second interface...

Burt

 

[lebisol]

I DO want ports blocked on This machine/ip ibound.
Not a whole happening on LAN side.
Could it be cause .200 is defined as secondary IP?

interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.1.2 255.255.255.0
...
...
...
interface FastEthernet0/1
 description WAN Interface
 ip address xxx.xxx.xxx.195 255.255.255.240 secondary
 ip address xxx.xxx.xxx.196 255.255.255.240 secondary
 ip address xxx.xxx.xxx.197 255.255.255.240 secondary
 ip address xxx.xxx.xxx.198 255.255.255.240 secondary
 ip address xxx.xxx.xxx.200 255.255.255.240 secondary
 ip address xxx.xxx.xxx.194 255.255.255.240

:|
as far as interfaces and ACLs....this is just abou the config.

Thanks again!

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[brianinms]

If you are nat'ing to a public Ip you shouldn't have the IP address as a secondary IP on an interface. In addition the access-list should be

access-list 101 permit tcp any host xxx.xxx.xxx.200 eq 443
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq smtp
access-list 101 deny ip any host xxx.xxx.xxx.200
access-list 101 permit ip any any

 

[lebisol]

no love...all active ports are still responding.
it is becoming wtf question at this point.

interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.1.2 255.255.255.0
---
interface FastEthernet0/1
 description WAN Interface
 ip address xxx.xxx.xxx.195 255.255.255.240 secondary
 ip address xxx.xxx.xxx.196 255.255.255.240 secondary
 ip address xxx.xxx.xxx.197 255.255.255.240 secondary
 ip address xxx.xxx.xxx.198 255.255.255.240 secondary
 ip address xxx.xxx.xxx.194 255.255.255.240
---
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
---
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.15 xxx.xxx.xxx.200 extendable
---
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq 443
access-list 101 permit tcp any xxx.xxx.xxx.200 eq smtp
access-list 101 deny   ip any host xxx.xxx.xxx.200 
access-list 101 permit ip any any

Again I tried using it in acl 100 thinking because of:
"ip nat inside source list 100 interface FastEthernet0/1 overload" but no difference.

Thanks again for taking your time....this has been driving me nuts.
All the best!

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[brianinms]

Are you assigning the access-list 101 to the interface?

interface FastEthernet0/1
access-group 101 in

 

[lebisol]

What is the command to apply?
...but I also edited list 100 thinking it IS applied....all the same.
All ears here...

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[brianinms]

The command is



interface FastEthernet0/1
access-group 101 in

 

[lebisol]

ip access-group 101 in
worked for blocking ...now my Outbound smtp traffic (from 192.168.1.15) on port 25 is blocked...

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[lebisol]

actually smtp is blocked in and out....while ssl works.?!

:--------------------------------------:

All around in my home town,
They tryin' to track me down...

 

[brianinms]

Nothing going outbound is blocked. I would recheck your service.

 

[burtsbees]

This statement
access-list 101 permit tcp any xxx.xxx.xxx.200 eq smtp
needs to have the keyword "host" after "any".

Burt

 

[lebisol]

sorry it does...it was my typo.
After talking to a few more cisco heads they passed on this info:

"From what I understand SMTP uses 25 for IN and OUT."
is actually not true, when an smtp message or ssl message comes in the server (or workstation) uses the ephemeral port ranges to send traffic back out. The port ranges are as follows as of OS type:

Windows TCP 1025-5000 (UDP if necessary)
Linux TCP 32768-52000 (UDP if necessary)
Unix TCP 49151-52000 (UDP if necessary)

It seems like it would whole lot easier to deny ports individually.

:--------------------------------------:

All around in my home town,
They tryin' to track me down...