Problems with IDS and opening ports

[MrOyvind]

Hi

I`m running SFTP(FTP via SSH) server mapped to port 11111, Remote desktop on port 3389 to a host inside vlan 10 and SSH to the router on port 22.
Everything works fine before IDS and the access lists under are enabled so all ports in the NAT statesment should be OK. Access to these services are needed via the puclic IP.
Router 1812w.

Config outside Interface F0 is:

interface FastEthernet0
ip address dhcp
ip access-group from_outside in
ip nat outside
ip inspect outgoing out
ip virtual-reassembly
duplex auto
speed auto
no routing dynamic

Config interface vlan 10 (SFTP and Remote desktop service here):

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group from_inside out
ip nat inside
ip virtual-reassembly

Extended IP access list from_inside

20 permit tcp any any established
30 permit udp any any
40 permit icmp any any
60 deny ip any any


Extended IP access list from_outside

10 permit icmp any any
20 permit udp host 81.167.196.1 eq bootps any log
30 permit udp host 81.167.36.3 eq domain any
40 permit udp host 81.167.36.11 eq domain any
110 deny ip any any

IDS config:

Ip insect name outgoing TCP
Ip insect name outgoing UDP
Ip insect name outgoing SSH
Ip insect name outgoing ICMP



Thank you.

 

[burtsbees]

FIRST OFF---this is CBAC, NOT IDS---BIG difference...

You have no lines in outside_in for anything you need...

ip access-list extended outside_in
41 permit tcp any host x.x.x.x eq 3389
42 permit tcp any host x.x.x.x eq 11111
43 permit tcp any any eq 22---this is assuming you don't know the ip address of your outside interface.

Also, do you have static nat statements?

ip nat inside source static tcp x.x.x.x 3389 int fa0 3389---this is for RDP.

For ssh---do you have
1.a hostname for the router?
2.rsa sigs?
3.trans in ssh on at least one vty line?

You need all three to enable ssh on the router.

Another thing---out of curiosity, why on EARTH would you want to open RDP across the internet, yet use ssh rather than telnet and sftp rather than plain ole' ftp? Not a very secure protocol there. And I do know that the latest RDP is supposedly safer, but STILL...

If your router is capable of ssh (RSA signature), then you can do a VPN server and remotely access the router and LAN that way---DEFINITELY the most secure!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[MrOyvind]

Hi

NAT here :

ip nat source static tcp 192.168.10.10 3389 interface FastEthernet0 3389
ip nat source static tcp 192.168.10.10 60010 interface FastEthernet0 60010
ip nat source static tcp 192.168.10.10 443 interface FastEthernet0 443
ip nat source static tcp 192.168.10.10 11111 interface FastEthernet0 11111



Everything works before adding the two access lists and the ip inspect parameters in the first post ( RDP, SFTP works with public IP ! )


ip access-list extended outside_in
41 permit tcp any host 192.168.10.10 eq 3389 Not working
42 permit tcp any host 192.168.10.10 eq 11111 Not working
43 permit tcp any any eq 22---this is assuming you don't know the ip address of your outside interface Worked after adding my public IP in the access-list

Dont` know how to use RDP over SSH, any tips ?

Thank you

Oyvind

 

[burtsbees]

NAT statements are wrong---it is not

ip nat source static...

it is

ip nat INSIDE source static (but "inside" is not in CAPS...)

Change all of your static NAT statements and it should work.

Also, for remote access, like I said---remote access VPN. Your router should be able to do it if it can do ssh.

/



tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[MrOyvind]

ip nat INSIDE source static

Already tested and it didn`t work !


Oyvind

 

[burtsbees]

Time to post the entire config...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[MrOyvind]

Hi

The external IP address assigned to F0 is always the same (ca 3 years). I think it`s bounded to the mac address of the ISP`s switch\router. So its`s maybe wrong to use this statment in the NAT config :
ip nat pool ISP 81.167.x.x 81.167.x.x netmask 255.255.255.0
The two 81.167.x.x addresses are the same, aquired by DHCP.
Since the address is assigned by DHCP it maybe not right to do it like this ?


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Box
!
boot-start-marker
boot system flash c181x-advipservicesk9-mz.124-24.T3.bin
warm-reboot
boot-end-marker
!
logging message-counter syslog
logging userinfo
logging buffered 51200 warnings
no logging console
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login default line group SSH
aaa authentication login ssh enable
!
!
aaa session-id common
clock timezone GMT+01. 1
clock summer-time GMT+01.00 recurring
clock calendar-valid
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
no ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.100.1
ip dhcp excluded-address 192.168.100.2
ip dhcp excluded-address 192.168.100.4
ip dhcp excluded-address 192.168.10.2
ip dhcp excluded-address 192.168.10.10
!
ip dhcp pool POOL_10
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
ip dhcp pool POOL_20
import all
utilization mark low 20 log
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
ip dhcp pool POOL_100
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name noname.com
!
ip inspect audit-trail
ip inspect max-incomplete low 150
ip inspect max-incomplete high 250
ip inspect one-minute low 150
ip inspect udp idle-time 60
ip inspect tcp idle-time 1800
ip inspect tcp synwait-time 15
ip inspect tcp block-non-session
ip inspect name INSP-BOX udp
ip inspect name INSP-BOX tcp
ip inspect name INSP-BOX icmp
ip inspect name INSP-BOX bootpc
ip inspect name INSP-BOX dns
ip inspect name INSP-BOX ssh
ip inspect name INSP-BOX http
ip inspect name INSP-BOX https
!
login block-for 180 attempts 2 within 20
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp version 2
username xxxxxxx privilege 15 password 7 xxxxxxx
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
quit
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh source-interface FastEthernet0
ip ssh logging events
ip ssh version 2
!
!
interface FastEthernet0
ip address dhcp
ip access-group from_outside in
ip nat outside
ip inspect INSP-BOX out
ip virtual-reassembly
duplex auto
speed auto
no routing dynamic
!!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group from_inside in
ip nat inside
ip virtual-reassembly
!
ip default-gateway 192.168.10.1
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http secure-server
!
ip dns primary ns1isp.mro.lyse.net soa 81.167.36.3 sdsd@sd.dsd 21600 900 7776000 86400
ip nat translation tcp-timeout 512
ip nat translation udp-timeout 512
ip nat translation max-entries 2500
ip nat pool ISP 81.167.x.x 81.167.x.x netmask 255.255.255.0
ip nat source list 10 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.10.10 11111 interface FastEthernet0 11111
ip nat inside source static tcp 192.168.10.10 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.10.10 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.10.10 60010 interface FastEthernet0 60010
ip nat inside source list 10 pool ISP overload
!
ip access-list extended from_inside
permit icmp any any
permit udp any any
permit tcp any any
deny ip any any log
ip access-list extended from_outside
permit icmp any any
permit udp host 81.167.196.1 eq bootps any log
permit udp host 81.167.36.3 eq domain any
permit udp host 81.167.36.11 eq domain any
permit tcp any host 81.167.x.x eq 22 log
permit tcp any host 192.168.10.10 eq 11111 log
permit tcp any host 192.168.10.10 eq 3389 log
permit tcp any eq 3389 11111 22 any log
deny ip any any log
!
logging trap debugging
logging source-interface Vlan10
access-list 10 permit 192.168.0.0 0.0.255.255
!
!
!
!
!
!
control-plane
!
banner login ^COh shit, not you again !^C
!
line con 0
exec-timeout 0 0
password 7 xxx
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 xxx
login authentication ssh
transport input ssh
line vty 5 193
password 7 xxx
transport input ssh
!
ntp logging
ntp source Vlan10
ntp master
ntp server 129.240.12.4 prefer
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Thx

Oyvind

 

[MrOyvind]

And here is the log after testing. Blocked !



006690: Apr 22 00:04:43.982 GMT+01.: %SEC-6-IPACCESSLOGP: list from_outside denied tcp 77.17.180.127(60283) -> 81.167.x.x(3389), 1 packet

006691: Apr 22 00:05:58.696 GMT+01.: %SEC-6-IPACCESSLOGP: list from_outside denied tcp 77.17.180.127(60285) -> 81.167.x.x(11111), 1 packet

Oyvind

 

[burtsbees]

Make this three statements---the router won't accept this. This is blocking you...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[MrOyvind]

Hi

And the three statements is ?

Oyvind

 

[burtsbees]

permit tcp any eq 3389 11111 22 any log

I copied and pasted---why it didn't post I don't know...

this needs to be 3 separate acl's

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[MrOyvind]

Now it`s all OK

New IPS rule inbound F0, inspecting TCP
permit tcp any host 81.167.x.x eq 3389
permit tcp any host 81.167.x.x eq 11111


Thanks

Oyvind

 

[burtsbees]

Star? Please? Pretty please???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[MrOyvind]

Well, you forgot the IPS inbound rule. I had to find it out by my self.
Sure, you can get a star for trying to help.
Where`s that star?

 

[MrOyvind]

Well, you forgot the inbound inspection rule. I had to find it out by my self.
Sure, you can get a star for trying to help.
Where`s that star?

 

[burtsbees]

I told you!

permit tcp any eq 3389 11111 22 any log

I copied and pasted---why it didn't post I don't know...

this needs to be 3 separate acl's

But whatever...I can live without the star.

I'll try not to help next time...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!