Combining the above


 

 

 

 

 

Introduction to this web page

This web page is an exercise in satisfying paranoia - the idea is to combine the configurations in the previous web pages, and see if it is possible to configure a router to do all four of :-

  • ip address blocking

  • port blocking

  • network address translation

  • stateful packet filtering

 

The physical layout

Access list "e0-out" is used to set up the reflexive access lists, in this case, we are going to set up three reflexive access lists, one each for TCP, UDP, and ICMP.

Access list "e0-in" is used to compare the incoming packets to the reflexive access-list entries.

Access list "e1-in" is used to do port and spoofed ip address blocking on the packets coming from the secure subnet.

Access list "e1-out" is used to do port blocking on packets coming in from the outside world.

The router is configured to do dynamic network address translation for all source addresses on the secure subnet, onto a pool of 253 inside global addresses on the 12x.34.1.0 255.255.255.0 subnet.

There is therefore a fifth access list, which is a standard access list, and is associated with the NAT pool.

 

Configuring the router

 


router>	                        enable
router#                         config t
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e0-out
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e0-out
!
!
router(config-ext-nacl)#    remark **This list is for packets originating on the secure
router(config-ext-nacl)#    remark   subnet, heading for the outside world.**
!
router(config-ext-nacl)#    remark **This list is used to set up the reflexive 
router(config-ext-nacl)#    remark   access lists.**
!
router(config-ext-nacl)#        permit tcp any any reflect reflex-tcp timeout 120
router(config-ext-nacl)#        permit udp any any reflect reflex-udp timeout 120
router(config-ext-nacl)#        permit icmp any any reflect reflex-icmp timeout 120
!
!
router(config-ext-nacl)#        exit
!
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e0-in
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e0-in
!
!
router(config-ext-nacl)#    remark **This list is for packets originating in the 
router(config-ext-nacl)#    remark   outside world, and are heading for the secure
router(config-ext-nacl)#    remark   subnet.**
!
router(config-ext-nacl)#    remark **This list is used to block packets with source 
router(config-ext-nacl)#    remark   addresses that should not exist on the open 
router(config-ext-nacl)#    remark   internet.**
!
!
router(config-ext-nacl)#    remark **This is the loopback address**
!
router(config-ext-nacl)#        deny ip 127.0.0.0 0.255.255.255 any
!
!
router(config-ext-nacl)#    remark **This is sometimes used to mean "this" host**
!
router(config-ext-nacl)#        deny ip 0.0.0.0 0.0.0.0 any
!
!
router(config-ext-nacl)#    remark **These are the IP addresses reserved by IANA**
!
router(config-ext-nacl)#        deny ip 10.0.0.0 0.255.255.255 any
router(config-ext-nacl)#        deny ip 172.16.0.0. 0.15.255.255 any
router(config-ext-nacl)#        deny ip 192.0.2.0 0.0.0.255 any
router(config-ext-nacl)#        deny ip 192.168.0.0. 0.0.255.255 any
router(config-ext-nacl)#        deny ip 240.0.0.0 7.255.255.255 any
router(config-ext-nacl)#        deny ip 224.0.0.0 15.255.255.255 any
!
!
router(config-ext-nacl)#    remark **This is the network address of the network backbone,
router(config-ext-nacl)#    remark   and there are no hosts on this backbone, only routers**
!
router(config-ext-nacl)#        deny  tcp 12x.34.0.0 0.0.0.255 any
router(config-ext-nacl)#        deny  udp 12x.34.0.0 0.0.0.255 any
!
!
router(config-ext-nacl)#    remark **These entries do the comparisons with the
router(config-ext-nacl)#    remark   reflexive access lists, and so only allow
router(config-ext-nacl)#    remark   packets that are part of connections already
router(config-ext-nacl)#    remark   set up.**
!
router(config-ext-nacl)#        evaluate reflex-tcp
router(config-ext-nacl)#        evaluate reflex-udp
router(config-ext-nacl)#        evaluate reflex-icmp
!
!
router(config-ext-nacl)#        exit
!
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e1-in
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e1-in
!
!
router(config-ext-nacl)#    remark **This list permits outgoing packets with 
router(config-ext-nacl)#    remark   specific port numbers, which are coming
router(config-ext-nacl)#    remark   from the secure subnet, heading for the 
router(config-ext-nacl)#    remark   outside world.**
!
!
router(config-ext-nacl)#    remark **Because the source address is specified for  
router(config-ext-nacl)#    remark   every entry, packets with spoofed ip addresses
router(config-ext-nacl)#    remark   outside the secure subnet address range will
router(config-ext-nacl)#    remark   be blocked.**
!
!
router(config-ext-nacl)#    remark **Telnet**
!
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any eq 23
!
router(config-ext-nacl)#    remark **DNS**
!
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any eq 53
!
router(config-ext-nacl)#    remark **HTTP**
!
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any eq 80
!
router(config-ext-nacl)#    remark **IMAP**
!
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any eq 143
!
router(config-ext-nacl)#    remark **HTTPS**
!
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any eq 443
!
router(config-ext-nacl)#    remark **HP printers**
!
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 any eq 69
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 any eq 161
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 any eq 162
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any range 9100:9102
!
router(config-ext-nacl)#    remark **HP web admin**
!
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any eq 8000
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 any eq 8000
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 any eq 8443
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 any eq 8443
!
!
router(config-ext-nacl)#    remark **These two sections allow NetBIOS only to
router(config-ext-nacl)#    remark   the two servers "Humpty" and "Dumpty" 
router(config-ext-nacl)#    remark   from any pc on the 192.168.1.0 subnet**
!
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 host 12x.34.50.80 eq 137
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 host 12x.34.50.80 eq 137
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 host 12x.34.50.80 eq 138
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 host 12x.34.50.80 eq 138
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 host 12x.34.50.80 eq 139
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 host 12x.34.50.80 eq 139
!
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 host 12x.34.50.85 eq 137
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 host 12x.34.50.85 eq 137
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 host 12x.34.50.85 eq 138
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 host 12x.34.50.85 eq 138
router(config-ext-nacl)#        permit udp 192.168.1.0 0.0.0.255 host 12x.34.50.85 eq 139
router(config-ext-nacl)#        permit tcp 192.168.1.0 0.0.0.255 host 12x.34.50.85 eq 139
!
router(config-ext-nacl)#    remark **This section permits certain types of ICMP packets**
!
router(config-ext-nacl)#    remark **Allow Echo request packets**
!
router(config-ext-nacl)#        permit icmp 192.168.1.0 0.0.0.255 any echo
!
!
router(config-ext-nacl)#        exit
!
!
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e1-out
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e1-out
!
!
router(config-ext-nacl)#    remark **This list does port blocking on the packets
router(config-ext-nacl)#    remark   coming from the outside world into the secure
router(config-ext-nacl)#    remark   subnet.**
!
!
router(config-ext-nacl)#    remark **Telnet**
!
router(config-ext-nacl)#        permit tcp any eq 23 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#    remark **DNS**
!
router(config-ext-nacl)#        permit tcp any eq 53 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HTTP**
!
router(config-ext-nacl)#        permit tcp any eq 80 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#    remark **IMAP**
!
router(config-ext-nacl)#        permit tcp any eq 143 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HTTPS**
!
router(config-ext-nacl)#        permit tcp any eq 443 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HP printers*
!
router(config-ext-nacl)#        permit udp any eq 69 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 161 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 162 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit tcp any range 9100:9102 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HP web admin*
!
router(config-ext-nacl)#        permit tcp any eq 8000 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 8000 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit tcp any eq 8443 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 8443 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#    remark **These two sections allow NetBIOS only from
router(config-ext-nacl)#    remark   the two servers "Humpty" and "Dumpty" 
router(config-ext-nacl)#    remark   to any pc on the 192.168.1.0 subnet**
!
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 137 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 137 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 138 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 138 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 139 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 139 192.168.1.0 0.0.0.255
!
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 137 192.168.1.0 0.0.0.255 
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 137 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 138 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 138 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 139 192.168.1.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 139 192.168.1.0 0.0.0.255
!
!
router(config-ext-nacl)#    remark **This section permits certain types of ICMP packets**
!
router(config-ext-nacl)#    remark **Allow Echo Reply packets**
!
router(config-ext-nacl)#        permit icmp any 192.168.1.0 0.0.0.255 echo-reply
!
!
router(config-ext-nacl)#        exit
!
!
router(config)#             ! Now we need to set up the network address translation
!
!
router(config)#             ! Set up a standard named access list which is used to define
router(config)#             ! the range of source addresses on the secure subnet which
router(config)#             ! require to be changed by NAT.
!

!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list nat-list
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list standard nat-list
!
!
router(config-std-nacl)#        permit ip 192.168.1.0 0.0.0.255
!
router(config-std-nacl)#        exit
!
!
router(config)#             ! Define a pool of global ip addresses which will be used
router(config)#             ! as the inside global addresses. ( ie - the source address
router(config)#             ! in the outgoing packets is changed to one of the ip
router(config)#             ! addresses in the pool of addresses 12x.34.1.2 up to
router(config)#             ! 12x.34.1.254 ).
!
router(config)#                 ip nat pool nat-pool 12x.34.1.2 12x.34.1.254 255.255.255.0
!
!
router(config)#             ! Now we issue the command for dynamic NAT, in which command
router(config)#             ! we specify the access list, and also the pool of addresses.
!
router(config)#                 ip nat inside source list nat-list pool nat-pool
!
!
!
router(config)#             ! Configure the two interfaces, associate the access lists
router(config)#             ! with them, and define whether each one is the inside or 
router(config)#             ! outside interface.
!
router(config)#	                interface ethernet 0
!
router(config-if)#              ip address 12x.34.0.35 255.255.255.0
router(config-if)#              ip access-group e0-in in
router(config-if)#              ip access-group e0-out out
router(config-if)#              ip nat outside
router(config-if)#              no shutdown
!
router(config-if)#              exit
!
!
router(config)#	                interface ethernet 1
!
router(config-if)#              ip address 192.168.1.1 255.255.255.0
router(config-if)#              ip access-group e1-in in
router(config-if)#              ip access-group e1-out out
router(config-if)#              ip nat inside
router(config-if)#              no shutdown
!
router(config-if)#              exit
!
router(config)#                 exit
router#                         disable
router>

 

A final comment

That is it in theory, will it work in practice ?

( The same thing does work in Linux, using iptables. )

And of course, this configuration doesn`t do anything to protect the router, and doesn`t allow a routing protocol into the router.

 


© 2005 Ron Turner


Return to the Cisco index page