ACL deny ip host x.x.x.x any no work 1

[burtsbees]

This acl entry

access-list 114 deny ip host x.x.x.x any
access-list 114 permit ip any any
int fa0/1
ip access-group 114 in

did not work. This user was trying to brute force my ftp server, and after hitting enter after entering this acl, the user session was still active (IIS "active sessions", refreshed a few times). However, this..
ip access-list extended 114
11 deny tcp host x.x.x.x host 192.168.69.108 eq ftp
worked. Why did the "deny ip" not work, but "deny tcp" work? The session disappeared immediately. The other surprising thing is that the built-in signatures usually detect such attacks as a UDP bomb...is there a tcp dictionary attack mechanism? Also, does the fact that "deny ip" did not work indicate that the attacker was using an IP spoofer or proxy? I'm green, sort of, when it comes to security. Thanks.

 

[Supergrrover]

If you are using NAT, did you clear the xlates?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[burtsbees]

No...good point. I will do that and experiment. Thanks!

Burt

 

[burtsbees]

Interesting...NAT translations cleared, still no workie. However, I should explain my topology...

Internet--Adtran--2620--1751--switches--LAN

The acl was put in the 2620---did not work.

int fa0/0 facing the Adtran L3 PoE switch, which is connected to a T1 to the internet. Int fa0/0 in the 2620 has a public IP address on it, and therefore is where NAT takes place.

access-list 114 permit tcp host x.x.x.x host 192.168.69.108 eq ftp
access-list 114 deny ip any host 192.168.69.108
access-list 114 permit ip any any
int fa0/0
ip access-group 114 in

Applied the acl after
clear ip nat trans *

Did not work. Now the 1751 is connected to the 2620 via WIC-1DSU-T1, T1 crossover cable, subnet 192.168.2.0/30, and fa0 is 192.168.69.0/24, ftp server is 192.168.69.108. I got rid of the acl 114 completely in the 2620 and rebuilt and applied it outbound on fa0 in the 1751. Voila, it works. Now if THAT didn't work, I was going to freak out. I still can't quite get why it would not work in the 2620---I did verify that the only entry in sh ip nat trans was the static entry
ip nat inside source static tcp 192.168.69.108 21 int fa0/0 21
Any thoughts? I suspect something to do with NAT, or the fact that the ftp server is 2 subnets away...but there are static routes in both routers so they know how to get to all three subnets (outside public, T1 crossover between the routers, and the LAN hung off the 1751). I'm just stumped...

Burt

 

[burtsbees]

By the way, the acl permits a colleague's IP address to ftp something I can't have the world seeing, and deny everyone else.

Burt

 

[Supergrrover]

Ok, you got me on that. What you did should have worked. What is the NAT config like on the 2620.

Sorry if it takes me a while - I don't sneak over to this forum much. Makes me feel like I'm cheating on the PIX/ASA guys.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Supergrrover]

What were the logs saying? Did you get any rejects/allows and in which directions.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[burtsbees]

I didn't have it all set up like it should be (logging)---had it logging to a syslog server, but the damned thing would stop running every time I logged off (Windows, Kiwi Beta syslog version).
Anyway, I think maybe CBAC was possibly manipulating the acl since I had an inspect rule for FTP...whaddya think? Possible?
I have super logs set up at home, with Advanced Enterprise 12.4(23), the very latest, ip accounting access-violations, the whole nine. It's telling me about some different attack like every few minutes! Just now, getting ICMP Unreachables from this IP through TCP port 0! Thank goodness for IPS! Signatures drop that bastard like it's hot...lol
I really need to set up CBAC the right way, though, with a deny any any statement incoming and allow on outgoing, like having the "established" keyword, but a LOT better.

Burt

 

[Supergrrover]

The ftp inspect is possible culprit but the ACL should process it first. Sounds like a very snazzy but very expensive home setup.

Not many set up outbound rules. I am a big fan. I also restrict VPN access out. Never know who made a tunnel and what it is doing.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[burtsbees]

Well, the router I got for $350 (2620XM), and for a little more I max'd it with DRAM and flash, and the WIC-1ADSL was I think $180. This was a while back, so yeah---expensive. Got it all when I was setting up my lab for CCNA.
I actually don't have CBAC set up like I should---the way I want to (and will) is to have outbound rules so that CBAC has something to inspect, so I can then deny everything back in, but it will be allowed back in since CBAC will inspect traffic outbound first. Like the "established" keyword at the end, only fancier...
My wife and kids are the only other ones who go out to the internet---kids are both boys, 3 and 4, so yeah---big fan of outbound rules too!lol

Burt