How
to control locally originated traffic from your cisco router?
If
you did’t know by now, any outbound ACLs on a interface, does not filter traffic originated from the
router. Look at this exhibit
router3825#sh
run int gi 0/0
Building
configuration...
Current
configuration : 302 bytes
!
interface
GigabitEthernet0/0
ip address 1.1.1.253 255.255.255.0
ip nbar protocol-discovery
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
analysis-module monitoring
ipv6 address 2001:470:C021:1::1/64
ipv6 enable
ipv6 nd prefix default 360 120
ipv6 nd ra lifetime 340
end
The ACL is used and verify for traffic that transient the router interfaces.
Now
let’s add a ACL restricting pings from 1.1.1.253 ( gi 0/0 ) ;
router3825#config
t
Enter
configuration commands, one per line.
End with CNTL/Z.
router3825(config)#ip
access-list ext noicmp
router3825(config-ext-nacl)#deny
icmp host 1.1.1.253 any
router3825(config-ext-nacl)#permit
ip any any
router3825(config-ext-nacl)#int
gi 0/0
router3825(config-if)#ip
acces
router3825(config-if)#ip
access-group noicmp out
router3825(config-if)#
router3825(config-if)#end
and
here’s we will try to pinging a dhcp host that's locally connected to the router;
router3825#show
ip dhcp bin
Bindings
from all pools not associated with VRF:
IP
address Client-ID/
Lease expiration
Type
Hardware address/
User name
1.1.1.1
0100.1f5b.ea0a.fa Jun 04 2013 01:53 AM Automatic
router3825#ping
1.1.1.1 source 1.1.1.253
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet
sent with a source address of 1.1.1.253
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
router3825#
and
let's double check that the ACL has been applied;
router3825#show
ip int gi 0/0 | incl acc
Outgoing access list is noicmp <--------
Inbound access list is not set
IP output packet accounting is disabled
IP access violation accounting is
disabled
router3825#sh
access-list noicmp
Extended
IP access list noicmp
10 deny icmp host 1.1.1.253
any
20 permit ip any any
router3825#
Okay, so
how can we filter traffic outbound that originates from the route?
1st
the ACL
ip
access-list extended controlme
permit icmp host 1.1.1.253 any echo
deny ip any any
2nd
route-map
!
route-map
mylocal permit 50
match ip address controlme
set interface Null0
!
route-map
mylocal permit 100
!
And
now the configuration for our local-policy
config t
ip
local policy route-map mylocal
end
And
to verify;
router3825#show
ip local policy
Local
policy routing is enabled, using route map mylocal
route-map
mylocal, permit, sequence 50
Match clauses:
ip address (access-lists):
controlme
Set clauses:
interface Null0
Policy routing matches: 5 packets, 500
bytes
route-map
mylocal, permit, sequence 100
Match clauses:
Set clauses:
Policy routing matches: 418 packets,
81963 bytes
router3825#
and
we can see that pings request with fail from the router, but it will response to external pings and send it's echo-response ;
router3825#show
arp | incl 1.1.1.1
Internet 1.1.1.1
4 001f.5bea.0afa ARPA GigabitEthernet0/0
router3825#ping
1.1.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success
rate is 0 percent (0/5)
router3825#ping
1.1.1.1 source 1.1.1.253
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet
sent with a source address of 1.1.1.253
.....
Success
rate is 0 percent (0/5)
router3825#
But
the loopback will succeed;
router3825#show
ip int br | incl Loop
Loopback0
1.0.0.2 YES NVRAM up
up
router3825#ping
1.1.1.1 source 1.0.0.2
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet
sent with a source address of 1.0.0.2
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
router3825#
And
from host 1.1.1.1 we can ping the loopback or interface with no problems;
sh-3.2#
netstat -nr -f inet | grep default
default
1.1.1.253 UGSc
16 0 en0
sh-3.2#
ping 1.1.1.253
PING
1.1.1.253 (1.1.1.253): 56 data bytes
64
bytes from 1.1.1.253: icmp_seq=0 ttl=255 time=0.657 ms
64
bytes from 1.1.1.253: icmp_seq=1 ttl=255 time=0.593 ms
^C
---
1.1.1.253 ping statistics ---
2
packets transmitted, 2 packets received, 0.0% packet loss
round-trip
min/avg/max/stddev = 0.593/0.625/0.657/0.032 ms
sh-3.2#
ping 1.0.0.2
PING
1.0.0.2 (1.0.0.2): 56 data bytes
64
bytes from 1.0.0.2: icmp_seq=0 ttl=255 time=0.738 ms
64
bytes from 1.0.0.2: icmp_seq=1 ttl=255 time=0.759 ms
^C
---
1.0.0.2 ping statistics ---
2
packets transmitted, 2 packets received, 0.0% packet loss
round-trip
min/avg/max/stddev = 0.738/0.748/0.759/0.011 ms
sh-3.2#
You can get very creative on filtering traffic from the router directly, and via this approach.
Ken Felix
Freelance Network/Security Engineer
kfelix ----at-- hyperfeed ---dot--- com
^ ^
= ( * * )=
@
#
################
# #
##
##########
#########
# #
## ####
## ###### #
#####
###
##
#
###############
#
# #
## ##
########
###
########
# # #
# # #
# # ##
####
# #
##########
# #
#
####
##
#
###############
# # #
# ###
###
########
# # #
# # #
# # ##
####
###
########
# # #
# # #
# # ##
####
####
########
# #
# #
################
################
################
# #
##
##########
#########
# #
## ####
## ###### #
#####
###
##
#
###############
#
# #
## ##
########
###
########
# # #
# # #
# # ##
####
# #
##########
# #
#
####
##
#
###############
# # #
# ###
###
########
# # #
# # #
# # ##
####
###
########
# # #
# # #
# # ##
####
####
########
# #
# #
################
################
No comments:
Post a Comment