Tuesday, June 4, 2013

How to control locally originated traffic from your cisco router?


How to control locally originated traffic from your cisco router?



If you did’t know by now, any outbound ACLs on a interface,  does not filter traffic originated from the router. Look at this exhibit

router3825#sh run int gi 0/0

Building configuration...



Current configuration : 302 bytes

!

interface GigabitEthernet0/0

 ip address 1.1.1.253 255.255.255.0

 ip nbar protocol-discovery

 ip virtual-reassembly in

 duplex auto

 speed auto

 media-type rj45

 analysis-module monitoring

 ipv6 address 2001:470:C021:1::1/64

 ipv6 enable

 ipv6 nd prefix default 360 120

 ipv6 nd ra lifetime 340

end



The ACL is used and verify for traffic that transient  the router interfaces.
Now let’s add a ACL restricting pings from 1.1.1.253 ( gi 0/0 ) ;


router3825#config t

Enter configuration commands, one per line.  End with CNTL/Z.

router3825(config)#ip access-list ext noicmp

router3825(config-ext-nacl)#deny icmp host 1.1.1.253 any

router3825(config-ext-nacl)#permit ip any any

router3825(config-ext-nacl)#int gi 0/0

router3825(config-if)#ip acces

router3825(config-if)#ip access-group noicmp out

router3825(config-if)#

router3825(config-if)#end




and here’s we will try to  pinging a dhcp host that's locally connected to the router;

router3825#show ip dhcp bin

Bindings from all pools not associated with VRF:

IP address          Client-ID/                            Lease expiration        Type

                            Hardware address/

                            User name

1.1.1.1             0100.1f5b.ea0a.fa       Jun 04 2013 01:53 AM    Automatic


router3825#ping 1.1.1.1 source 1.1.1.253

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.253

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

router3825#


and let's double check that the ACL has been applied;

router3825#show ip int gi 0/0 | incl acc

  Outgoing access list is noicmp            <--------

  Inbound  access list is not set

  IP output packet accounting is disabled

  IP access violation accounting is disabled


router3825#sh access-list noicmp       

Extended IP access list noicmp

    10 deny icmp host 1.1.1.253 any

    20 permit ip any any

router3825#


Okay, so how can we filter traffic outbound that originates from the route?

Easy, we use a route-map+acl and a local route policy

1st the ACL

ip access-list extended controlme

 permit icmp host 1.1.1.253 any echo

 deny   ip any any


2nd route-map
!

route-map mylocal permit 50

 match ip address controlme

 set interface Null0

!

route-map mylocal permit 100

!




And now the configuration  for our local-policy

config t

    ip local policy route-map mylocal

 end

And to verify;


router3825#show ip local  policy

Local policy routing is enabled, using route map mylocal

route-map mylocal, permit, sequence 50

  Match clauses:

    ip address (access-lists): controlme

  Set clauses:

    interface Null0

  Policy routing matches: 5 packets, 500 bytes

route-map mylocal, permit, sequence 100

  Match clauses:

  Set clauses:

  Policy routing matches: 418 packets, 81963 bytes

router3825#


and we can see that pings request with fail from the router, but it will response to external pings and send it's echo-response ;

router3825#show arp | incl 1.1.1.1

Internet  1.1.1.1                 4   001f.5bea.0afa  ARPA   GigabitEthernet0/0

router3825#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

router3825#ping 1.1.1.1 source 1.1.1.253

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.253

.....

Success rate is 0 percent (0/5)

router3825#


But the loopback will succeed;

router3825#show ip int br | incl Loop

Loopback0                  1.0.0.2         YES NVRAM  up                    up     

router3825#ping 1.1.1.1 source 1.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 1.0.0.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

router3825#


And from host 1.1.1.1 we can ping the loopback or interface with no problems;

sh-3.2# netstat -nr -f inet | grep default

default            1.1.1.253          UGSc           16        0     en0




sh-3.2# ping 1.1.1.253

PING 1.1.1.253 (1.1.1.253): 56 data bytes

64 bytes from 1.1.1.253: icmp_seq=0 ttl=255 time=0.657 ms

64 bytes from 1.1.1.253: icmp_seq=1 ttl=255 time=0.593 ms

^C

--- 1.1.1.253 ping statistics ---

2 packets transmitted, 2 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.593/0.625/0.657/0.032 ms

sh-3.2# ping 1.0.0.2

PING 1.0.0.2 (1.0.0.2): 56 data bytes

64 bytes from 1.0.0.2: icmp_seq=0 ttl=255 time=0.738 ms

64 bytes from 1.0.0.2: icmp_seq=1 ttl=255 time=0.759 ms

^C

--- 1.0.0.2 ping statistics ---

2 packets transmitted, 2 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.738/0.748/0.759/0.011 ms

sh-3.2#



You can get very creative on filtering traffic from the router directly, and via this approach.

Ken Felix
Freelance Network/Security Engineer
kfelix   ----at--  hyperfeed ---dot--- com


    ^     ^
= ( *   * )=
        @

      #               
      ################
      #       #
              ##
      ##########
      #########
 #             #
 ##         ####
   ##   ###### #
      #####
          ###
              ##
               #
 ###############
       #      
      #        #
      ##      ##
       ########
         ###
       ########
      #   #    #
      #   #    #
      #   #  ##
          ####
      #        #
      ##########
      #      #
              #
            ####
             ##
               #
      ###############
      #        #     #
               #   ###
                    
         ###
       ########
      #   #    #
      #   #    #
      #   #  ##
          ####
         ###
       ########
      #   #    #
      #   #    #
      #   #  ##
          ####
         ####
       ########
      #        #
      #        #
      ################
      ################






No comments:

Post a Comment