How to secure IOS12.3 NAT Config (?) 2

[Nimroduk]

hi all,
I've read through many threads on this site and I have found the answers to most of my questions, so for that thanks

I believe I have managed to cook-up a config that allows me to do what I want but I don't feel it very secure; in fact I would say its very insecure and I am looking for any pointers to help sure up my defenses...

At present my 2611 is sitting between a test LAN of a single laptop and an already NATed cable connection. I am developing in this way to ensure that I have the most secure (and stable) config I can before putting the 2611 live.

The reason I believe that my config is insecure is that I am not performing any explict traffic dropping, other than very basic invalid address space blocking. I am relying on NAT to stop unsolicited traffic from entering my LAN and I am not sure that is correct.
I have ended up in this situation, with this config, as it is the only way I have been able to get MSN to work in full (File/Voice/Video). I was hoping that I would be able to create a class-map through nbar but I got a little lost when I started fidling

If anyone with any thoughts would be kind enough to have a quick scan of the config and point out whether its OK or whether there are things I should change, I would be very greatful.

!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 7Six2600
!
enable secret 5 <cut>
enable password <cut>
!
clock timezone GMT 0
ntp server 207.46.232.189
!
no aaa new-model
!
no cdp run
no ip http server
no ip finger
no ip source-route
no service tcp-small-servers
no service udp-small-servers
!
ip subnet-zero
ip cef
ip classless
ip route 0.0.0.0 255.255.255.255 Ethernet0/0
!
no ip dhcp conflict logging
!
ip dhcp pool 7sixLAN
 network 192.168.76.0 /24
 default-router 192.168.76.3
! import all
 domain-name 7six
 dns-server 4.2.2.1 4.2.2.2
 netbios-node-type h-node
 lease 5
!
ip dhcp excluded-address 192.168.76.1 192.168.76.9
!
interface Ethernet0/0
 bandwidth 10000000
 description WAN Connection (NTL)
 ip address dhcp
 ip nat outside
 ip nbar protocol-discovery
 ip access-group 101 in
 ip accounting access-violations
 ip mtu 1500
 no ip unreachables
 full-duplex
 keepalive 10
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface Ethernet0/1
 bandwidth 10000000
 description LAN Connection
 ip address 192.168.76.3 255.255.255.0
 ip nat inside
 ip nbar protocol-discovery
 ip access-group 102 in
 ip access-group 103 out
 ip mtu 1500
 full-duplex
 fair-queue
 hold-queue 32 in
 keepalive 10
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
ip nat inside source list 1 interface Ethernet0/0 overload
!
!
no access-list 1
access-list 1 permit 192.168.76.0 0.0.0.255
!
! Incoming traffic filter
no access-list 101
!
! ALLOW LIST
! DHCP !
access-list 101 permit udp any any eq bootps
! Anything that is in progress
access-list 101 permit tcp any any established
! 7Six Network - REMOVE THIS WHEN LIVE !
access-list 101 permit ip any 192.168.1.0 0.0.0.255
access-list 101 permit icmp any 192.168.1.0 0.0.0.255
! Block Private IP ranges
access-list 101 deny ip any 0.0.0.0 0.255.255.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 169.254.0.0 0.255.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
!NetBIOS
access-list 101 deny udp any any range netbios-dgm netbios-ss
!
! Allow everything else in as deep as NAT :o
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 101 permit gre any any
!
!
! NAT Incoming Filter
no access-list 102
! Anything that is destined for a machine on this side of the NAT
access-list 102 permit icmp 192.168.76.0 0.0.0.255 any
access-list 102 permit ip 192.168.76.0 0.0.0.255 any
! DENY ALL OTHER INCOMING
access-list 102 deny ip any any log
!
! LAN Outgoing Traffic Filter
no access-list 103
! Make sure source is from this LAN
access-list 103 permit ip any 192.168.76.0 0.0.0.255
access-list 103 permit icmp any 192.168.76.0 0.0.0.255
access-list 103 permit gre any 192.168.76.0 0.0.0.255
access-list 103 deny ip any any log
!
line con 0
line aux 0
line vty 0 4
 access-class 1 in
 session-timeout 15
 password <cut>
 login
!
logging buffered 4096 4
logging console 4
logging trap 7
logging source-interface Ethernet0/0
logging host 192.168.1.72
no logging console
logging on
!
end

Any feedback would be good feedback, I'm a software developer and not a network admin

 

[Jimtron26]

Hi Nimroduk

You could try using CBAC (IOS permitting) which is a form of firewall for routers punches holes in your access list (direction depends on how it is applied. CBAC monitors outgoing tcp and udp connections to ensure the return traffic is valid whilst blocking all other external incoming traffic.

See below link for CBAC configuration

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800ca606.html

Hope this helps

Jim )
CCNA

 

[castlesmadeofsand]

Yes, definitely CBAC and a firewall, likle "ip inspect name..."
I normally use private class b addresses on my lan---192.168 is very common. That's just me. Is this a business you are protecting, or just your home?

Tim

 

[Nimroduk]

Thanks for the feedback so far

I'm a little confused as I thought that CBAC and IP Inspect were one and the same?

Also, I was (mis)-lead into believing that CBAC has been replaced with NBAR ? My IOS does not appear to have any ip inspect config options but I do have NBAR, should it be possible to get an IOS with both ?

Is it looking like I need to change IOS ?

 

[UnaBomber]

access-list 103 permit ip any 192.168.76.0 0.0.0.255

Access-list 103 is allowing any source IP address to destination subnet 192.168.76.0/24 and it is configured to filter outgoing traffic, on your inside interface. This wont work

no access-list 101
access-list 101 permit udp any any eq bootps
access-list 101 permit tcp any any established
access-list 101 permit ip any 192.168.1.0 0.0.0.255
access-list 101 permit icmp any 192.168.1.0 0.0.0.255
access-list 101 deny ip any 0.0.0.0 0.255.255.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 169.254.0.0 0.255.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
access-list 101 deny udp any any range netbios-dgm netbios-ss
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 101 permit gre any any

FYI:
When you configure NAT any traffic going from the outside network to inside network will be first checked against an ACL before the NATing happens, this is the order of NAT operations for this direction, ACL-->NAT-->Routing.

So an inbound ACL will have to allow for a source address on the 'net to the outside interface on the Router. Private IP address are not routable publicly, and thus there is no need to block them.
DNS uses UDP for lookups so if your ISP is using a private IP address range for its internal network before you jump onto the

http://www (can

happen), you wont be able to use DNS lookups.

UnaBomber
ccnp mcse2k

 

[Nimroduk]

hi UnaBomber, I'm a little bit fish out of water with this stuff and so I hope you don't mind me asking:

Why would the access-list 103 not work ? My thoughts were that the ACL would stop any traffic not from my LAN (192.168.76.0/24) from being routed. I was mainly looking to use this as a "last chance saloon" method of stopping any traffic not generated by my subnet from being routed out via my Gateway. I have two subnets, one w/ internet access and one w/o. I am not quite ready to get into VLANs? yet

I understand what you're saying about the ACL on the public interface having to allow incoming public traffic through. I realise that at the moment this is happening for two reasons:
1) As the pub iface is dhcp and is plugged into a NAT router, it is picking up a 192.168.1.0/24 address. I have defined a permit statement in the ACL for that subnet and so the data passes.
2) The default rule is to permit any so the traffic will still pass even when the pub iface is picking its IP from the ISP's DHCP pool.

I would like to make the default rule on ACL 101 deny but I cannot find anyway to define an ACL statement with a dynamic IP (the pub iface IP) as the destination? I did look into DynamicACLs but they are for something else completely.

I see what you're saying about the ISP's DNS and it is the reason I am allowing bootps replies. I generally don't use their DNS as they seem to be down more than they are up but it is a good point that you make.

Having now re-read through the CBAC guide, would you say that my insecurities are being caused because of the way I am trying to work around not having the CBAC feature within my IOS ? I am getting the feeling that CBAC is the answer and not NBAR as I had originally thought.

...I wonder if there is a CBAC, NBAR enabled IOS for the 2611?! Time to call in some favours maybe

 

[UnaBomber]

I should rephrase, it will work, but the system will now stop any traffic with a destination address that isnt within 192.168.76.0/24. If you want your traffic to go to a

http://www server

on the net this acl will stop that...

CBAC is good, (I really like the ios security feature set) but usually firewalls are used as a filter to allow people into your network, within the context we are speaking here. Its a guard. If you want to stop all outside to inside traffic, for a network as small as yours NAT as is confgured right now will do the job. cbac will inspect packets that are going into your network, and drop strange ones. But as you dont have any holes into your network, like a NAT statement allowing traffic to a

http://www server,

it is to be frank pointless. I use the word pointless loosely, I can see reasons why you would want an ios firewall.

Your inside network will be configured using a private ip address range, thus you are not routable. Since you are overloading the only IP address that is routable is your public outside interface. For a cracker to gain entry he has the following options:
1) crack/root your router
2) manipulate packets to look like they are replies to inside to outside tcp sessions, YOU initiated.
3) get some malware on your PC, via a session YOU initiate

I could go into more details regarding how difficult number 2) is but I wont. Number 1) is more prevalent, and with your config, it seems that you have locked down access to your router to only allow access from inside your network. So disregarding buffer overflows etc its safe. Number 3) is probably more likely to happen, but since you are posting here, and are taking the time to lock down your router, I highly doubt you are the type of person who would allow this sort of thing to happen.

And to answer your final question, I am not sure I have only seen High sec IOS on 2800.

Hope that is some help

UnaBomber
ccnp mcse2k

 

[Nimroduk]

Thanks for taking the time, thats definatley cleared up the questions I had

I've really got what I was looking for and that was some assurance from people who know that I haven't left any blatanty obvious holes through and that I am doing pretty much all I can to secure things with the feature set I have.

I'm almost tempted to plug directly into the internet now, maybe