cisco ACLs/Firewall and nmap
Results 1 to 7 of 7

Thread: cisco ACLs/Firewall and nmap

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    cisco ACLs/Firewall and nmap

    Why is it then I can't see -sS scans from namp in my cisco ACLs logs?

    I can see anything else that I can tell...

    It just a cisco 831... not a pix or anything.

    AFAIK, I've never seen stealth scans...

    Am I configured incorrectly?

    I know they are not returning anything... but I don't see it in my logs... and thats debugging.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    It's hard to tell if you're configured correctly or not, without seeing your configuration. How about posting up your ACLs.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I'm on a dsl connection, so this is my dialer0 interface incoming rule

    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 permit udp host 207.46.130.100 eq ntp any eq ntp
    access-list 101 remark School
    access-list 101 permit icmp x.x.0.0 0.0.255.255 any log
    access-list 101 remark School
    access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq ftp-data log
    access-list 101 remark School
    access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq ftp log
    access-list 101 remark School
    access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq 22 log
    access-list 101 remark School
    access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq 3389 log
    access-list 101 remark Work
    access-list 101 permit icmp host xxx.xxx.xx.xx any log
    access-list 101 remark Work
    access-list 101 permit ip host xxx.xxx.xx.xx any log
    access-list 101 remark Work
    access-list 101 permit tcp host xxx.xxx.xx.xx any log
    access-list 101 remark Work
    access-list 101 permit udp host xxx.xxx.xx.xx any log
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    I have a vpn setup too... so thats why I'm allowing those private IPs... but you could figure that out.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    Ok, several things I want to comment on.

    First, you do realize that once a connection reaches a rule that gives it an explicit allow, that it stops looking at the rest of the rules, right?

    So, your IP deny statements at the bottom do you no good down there, as any traffic from them would still be allowed if it followed any of the rules above it. You want these on below your permit ip statements at the very top of your list like this:

    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 permit ip host 192.168.1.x any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any

    You have a redundancy here
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any

    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any


    Secondly, try adding a port range to your deny statement at the bottom like this:

    deny ip any any range 0 65535 log


    It's late, but everything else looks good to me at quick glance. Where are you sending these logs to? Are they going to a syslogd or what?

    Also, if you want to be picking up the stealths and things, you'd be well set to have an IDS installed on a monitor port. Ever think about setting one up?

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Where do I have the explicit allow?

    edit:
    Ah! Ok, now I see what you are saying... but I'm only allowing specific hosts... so the denys at the bottom should be ok?
    Besides... they are private ips... so they can't be routed over the internet unelss they are authenticated via vpn?
    /edit:

    I am sending the logs to a syslog server.

    I just saw the redundancy. I've been toying with this all evening after a long day...

    I have been thinking about setting up an IDS, but I don't have the space at the moment.
    When I move (which should be soon) I'll have a good chance to change the physical layout.

    Right now I don't have the space.

    I've been toying with the Cisco Intrusion Prevention System.

    I'm trying to determine what comes first... ACLs then IPS, or IPS then ACLs.

    I can't see anything in the logs regarding IPS, I'd have to *ass*ume ACLs...
    Too bad it won't log both.

    I'll add the ports to the ACL. Thanks for the help and suggestions.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    Originally posted here by phishphreek80
    Where do I have the explicit allow?
    edit:
    Ah! Ok, now I see what you are saying... but I'm only allowing specific hosts... so the denys at the bottom should be ok?
    /edit:
    Well, you do have some permit any any X statements in there, but they aren't really a big deal. Still, it's good to deny the standard noroutes from everything, no matter how harmless it seems. It's also good to get in the habit of putting your deny ip statements at the top under the allow ips. I have seen a LOT of admins that could have saved themselves a LOT of problems if they had gotten into that routine early on.


  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I know you suggested an IDS system to detect the stealth activity...

    And by that you are saying that Cisco CAN'T see stealth activity?

    I want to put in an IDS but I have to wait for a while...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •