Confused about my Configuration 1

[ToddWW]

I have a Cisco 827 DSL Modem/Router in front of IIS running a public web page. I have a half a dozen internal computers networked together using the 10.10.10.x IP scheme. 10.10.10.1 is assigned to the router, 10.10.10.2 is assigned to a web site, and 10.10.10.240 is assigned to a network printer. All other computers are set to receive IP's dynamically. My public website address is 65.100.222.186. It's a public address in the terms that it's available over the internet, but the application on it is private to my customers only. In other words, it's not PUBLIC in every sense of the word.

Everything works fine, but I have a few questions. The tech who set this up for me is no longer available to assist me and Qwest is not supporting this router because it is not standard router they issue to their customers.

Here is my config.

show run
Building configuration...

Current configuration:
!
! No configuration change since last restart
!
version 12.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname Router
!
enable secret *******
enable password *******
!
!
!
!
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip name-server 206.81.128.1
ip name-server 204.147.80.5
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.2
ip dhcp excluded-address 10.10.10.240
!
ip dhcp pool PETRO
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name qwest.net
dns-server 206.81.128.1 204.147.80.5
lease 5
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip access-group 110 out
ip nat inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
ip address 65.100.222.190 255.255.255.248
ip nat outside
encapsulation ppp
dialer pool 1
ppp pap sent-username *******
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 10.10.10.2 65.100.222.186
ip classless
ip route 0.0.0.0 0.0.0.0 65.100.205.254
no ip http server
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 110 deny tcp any any range 137 139
access-list 110 permit ip any any
!
line con 0
transport input none
stopbits 1
line vty 0 4
password ******
login
!
sntp server 128.101.101.101
scheduler max-task-time 5000
end


Here are my questions.

#1: What do the following statements mean ?


access-list 1 permit 10.10.10.0 0.0.0.255
access-list 110 deny tcp any any range 137 139
access-list 110 permit ip any any


#2: How can I configure my router to deny HTTP requests from a specific IP address or IP range or a combination of both. Reason being is that my server is being bombed with Code Red attacks, which we are handling with IIS, but I would like to block those IP's at the router so they don't even make it to the server.

I'm a beginner with Cisco OS and as of now, the only thing I know how to do is get logged into the router via HyperTerminal. If you could provide command line help, I would greatly appreciate it.

Thanks a million.

TW

 

[netsec03]

toddww get in touch with me @ inetsecure11@yahoo.com, I can help you out.

 

[yizhar]

HI!

* This line
access-list 1 permit 10.10.10.0 0.0.0.255
Is used for the NAT configuration, and the number 1 is mapped here:
ip nat inside source list 1 interface Dialer1 overload


* These lines:
access-list 110 deny tcp any any range 137 139
access-list 110 permit ip any any

Are mapped to your incoming trafic here:
interface Ethernet0
ip access-group 110 out

And they filter out Netbios traffic that comes over TCP ports 137-139
(This is not accurate about Netbios but this is what configured ).


* You can filter incoming http trafic in several ways with your existing configuration. However it is recommended to implement a firewall.
One way is to filter using access-list in the router. This has 2 disadvantages you'll have to consider:
1. the command line isn't so friendly, especially for CISCO novices.
2. You will probably need to make frequent changes adding permitted source ip addresses to your list. This is not so easy using CISCO access-list.

Another way is to define IP filters on your web server itself.
I think that this is the recommended current solution for you (until you implement a firewall), because it will give you easier management for modifying the list of permitted IP source addresses.

You can define IP filters in the TCPIP properties of your web-server.

This may seem to be less protection - but I think it is about the same as blocking at the router for your specific scenario - an easier management is an important issue if you need frequent changes.


Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ToddWW]

Yizhar,

Thank you very, very much. Yes, we are handling IP restrictions through the web server now and it is covering 100% of all of the code red attacks by denying those IP's access to the web server. However, the denial returns a page back to the attacker that says IP DENIED. Therefore, even though the IP's are being denied in the web server, the web server itself is still processing the requests, returning an error page, and the log files at the end of the day are ridiculous. I would really like to learn how to, for my own personal knowledge, how to deny IP addresses and / or groups within the router. I understand that the command line sequence may be a bit deep, but I have been in and out of my router on several occasions, following other peoples instructions, to get things accomplished. If it's not too much trouble, could you breif me on the commands to manipulate those access lists.

Thanks.

ToddWW

 

[yizhar]

HI!

As I mentioned, you can block IP addresses in the TCPIP properties of your web-server (instead or in addition to the blocking defined in IIS manager).
This is done in NETWORK PROPERTIES in NT 4.
This is almost the same for you as blocking in the router itself,
And the overhead of your web-server will be neglected.

If your web-server serves only a limitted list of IP addresses, it is recommended to block all addresses except of the permitted one.
If your web-server serves all the Internet or a very wide range of clients,
it is recommended to permit all addresses except those that you define.
In any case you should have a list of IP addresses to block or permit.

This is one way (there are others) that you can use to block in your router, every access to port 80 except (permit) IP addresses 111.111.111.111 and 222.222.222.222 that represent legitimic clients.

access-list 120 permit tcp host 111.111.111.111 any eq www
access-list 120 permit tcp host 222.222.222.222 any eq www
access-list 120 deny tcp any any eq www
access-list 120 permit ip any any

interface dialer1
ip access-group 120 in


Again, this is not the only nor the recommended way for my opinion but it can work for you.
Changing the 120 list later requires - deleting and recreating it.

You can also combine the 120 and 110 lists to a single one. In any case with access-lists, the most specific must come first.
(i.e. permit ip any any must come last. every line after it will never match).

If you are going to use access-lists on the router, you MUST for learn a little more about them, and about the syntax and logic of the commands.
Asking here is good but not enough.

Reading the router manuals (on paper and/or online) can provide much help.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ToddWW]

I realize now how in depth it really is and I just thought I could get a quick tip on denying a few addresses until I can get some real help.

I was working on a different post with Phil who was very helpful. I suggested a Proposed config to him where I had assigned the access list to the Ethernet0 interface (I was just assuming since one of the other lists was there). Here you have suggested it be in the Dialer1 interface.

It's obvious I'm a beginner at this and by no means am I trying to use this forum to become an expert. I just want to block some IP's from gaining any access into my network, including my web server, so I can free up the web server logging program from unauthorized attempts. Right now, the server software is doing the IP blocking, but it still registers the requests in the log and is making our developers, who are tracking the log for customer support, very irritated.

With oodles of servers out there still infected with code red, our log files are getting pretty big. Since our site is for customer web access only, and has very small traffic, the ratio of unauthorized attempts to authorized requests right now is about 90/10. It's more irritating than anything. We've considered a "deny all" and permit "customers only", but we're trying to avoid that because some of our customers, including our resellers, need to bring the web site up from various other locations (such as a sales call or demo).

Your thoughts about Dialer1 -vs- Ethernet0 and the access list.

Thanks again for all your help. I have saved your email and will address that when I return from vacation. I was hoping to simply get this out of the way so I could go in peace, without getting wrenched on by our support staff.

Todd WW