ACL to prevent LAN IP Spoofing 3

[WesF]

Our firewall has an IDS solution that does blacklisting of IPs. We haven't been able to use this feature because of our internal IPs (10.0.0.x) being spoofed from the outside coming in, and therefore blacklisting internal users. To clear thos IPs off of the blacklist I have to reboote the FW appliance.

I have not worked on routers that much, but have been trying to learn as much as possible. I set up an ACL to hopefully prevent LAN IPs from being spoofed.

Router is a Cisco 1601, w/ IOS 11.1
Here is my ACL:

! Deny LAN IPs from being spoofed
access-list 1 deny 10.0.0.0 0.255.255.255
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit 0.0.0.0 255.255.255.255

Everything else is allowed in because our firewall appliance controls all of the security.

I applied this to our external interface, Serial0 by the following:

Config t
int s0
ip access-group 1 in

The end of our config is as such:

interface Serial0
ip address x.x.x.x x.x.x.x
ip access-group 1 in
bandwidth 512
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
logging buffered
access-list 1 deny 10.0.0.0 0.255.255.255
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any
snmp-server community public RO
!
line con 0
line vty 0 4
password
login

Does this look correct? Also, I wanted to turn on logging for the first two lines like this:

access-list 1 deny 10.0.0.0 0.255.255.255 log

....but it does not work. Anyone know how to enable logging on this access list? Thanks.

 

[routerman]

That list should do what you want. You could add in the other reserved networks as well.

If this is an Internet facing router I'd remove the SNMP command, SNMP V1 is not at all secure, and you have the default password of public applied.

Also stick an ACL on the vty port to restric access there as well.

I'd also turn off CDP. (no cdp run, global command)

As for logging, the log keyword outputs the message onto the console port, or to a logged in vty session when `term mon' is enabled.

 

[WesF]

Thanks so much for the reply. Sorry for being such a rookie at this, but if you have time could you answer the following:

- what command removes the snmp?
- something like this for the vty?

access-list 2 permit a.b.c.d 0.0.0.0
access-list 2 deny any
....w/ a.b.c.d being our firewall IP since I will telnet through it from the LAN

- what is CDP?
- any way to log when something is filtered according to the access list or is it done automatically?

Thanks again!

 

[WesF]

Also meant to ask what the 2 numbers after vty, as in line vty 0 4, mean? Haven't ran across that anywhere yet.

 

[scottdware]

The command to remove the snmp configuration is something like:

no snmp-server community public RO

CDP is the Cisco Discovery Protocol. It identifies all connected Cisco devices, so if you were to do a 'show cdp neighbor', you would see all Cisco devices that are connected to your router/switch. This link will help you with the CDP definition:

http://www.users.bigpond.com/marcpelusi/semester2/cisco_discovery_protocol.htm

And here's a link to the vty question. VTY is the virtual terminal interface in which you can telnet to a router/switch from. The value is always at 0 4 for vty, and 0 for the console.

http://www.avici.com/documentation/HTMLDocs/02120-06_revBA/navigation13.html

Hope this helps!

 

[routerman]

The ACL applied to the vty need to be the source IP address, so if your firewall NAT's every internal address to one from a pool, or its outside interface then that is the address that goes into the ACL.

The idea behind this is to make the router as invisible as possible to those who may try and break it.

There is more information on this subject at

http://www.cisco.com/go/safe

 

[lgarner]

Here's a slightly edited version of my border access lists. I also have a firewall for the "real" security. The router-protection elements could be further improved by blocking virtually all access to the serial ip, and allowing access to the LAN ip by only specified management stations.

access-list 101 remark ---deny RFC1918
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 remark ---deny internal addresses
access-list 101 deny ip <ip network> <ip mask> any log
access-list 101 remark -- deny access to router
access-list 101 deny tcp any any eq telnet log
access-list 101 deny udp any any eq syslog log
access-list 101 deny tcp any any eq cmd log
access-list 101 deny udp any any eq snmp log
access-list 101 remark -- allow all other access
access-list 101 permit icmp any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 remark -- deny bad protocols 7/17/2003
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 permit ip any any

This list is a last step to prevent private address leakage. Again, it could be improved by only permitting the LAN ip range out.
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 deny ip any 172.16.0.0 0.15.255.255
access-list 102 deny ip any 192.168.0.0 0.0.255.255
access-list 102 permit ip any any

int serial 1/0
access-group 101 in
access-group 102 out
!

Of course, I'm open to other suggestions as well.

Lee.