Tip
This is the documentation for the 21.07 version. Looking for the documentation of the latest version? Have a look here.
Step 4: Protect the Outside Interface with ACLs¶
Before proceeding with the VPN IPsec site-to-site tunnel, it is critical to apply Access Control Lists (ACLs) to the outside interface.
The reason being, if the outside interface is exposed to the internet, it
will be frequently probed by bots attempting to login using weak credentials.
This can be seen by inspecting lastb
from the root
user:
sudo lastb | head -100
Multiple ACLs can be applied to an input or output queue on an interface, as ordered by sequence. This offers a modular and scalable approach to ACLs for a given interface.
Output ACL - Reflect¶
The reflect ACL is a special action that permits output traffic and also permits the return, or input, traffic to match the IP flow.
Create an ACL named outbound-reflect
and apply it:
acl outbound-reflect
rule 5
desc reflect permit outbound traffic AND permit return traffic on input
action reflect
ip-version ipv4
exit
exit
#
# Apply to interface as output ACL
interface outside
access-list output acl outbound-reflect sequence 10
exit
Input ACL - DHCP Response¶
If using dhcp client ipv4
on the outside interface, be sure to permit DHCP
responses on destination port UDP 68
by creating an ACL named
dhcp-outside
and applying it:
acl dhcp-outside
rule 1
desc DHCP Response to client on outside interface
action permit
ip-version ipv4
protocol udp
source port 67
destination port 68
exit
exit
#
# Apply ACL to interface Access-List
interface outside
access-list input acl dhcp-outside sequence 5
exit
Input ACL - SSH-Outside¶
To only permit inbound SSH access from specified IP hosts, create an ACL rule
named ssh-outside
and apply it. In this example, rule 221 permits a
block of IP addresses from corporate headquarters and rule 222 permits a
single IP address for assistance from a service provider:
acl ssh-outside
rule 221
desc Allow SSH from HQ
action permit
ip-version ipv4
protocol tcp
destination port 22
source address 198.51.100.0/24
exit
rule 222
desc Allow SSH from service provider
action permit
ip-version ipv4
protocol tcp
destination port 22
source address 192.0.2.88/32
exit
exit
#
# Apply to outside interface as input ACL
interface outside
access-list input acl ssh-outside sequence 10
exit
Then validate that only the specified IP addresses are able to SSH to the outside IP address of TNSR.
Note
A NAT static mapping from outside addresses to inside addresses on
port 22
(SSH) may be required.
nat static mapping tcp local 172.21.89.1 22 external outside 22 out-to-in-only
NAT port forwarding is covered in Step 6: Port Forwarding with NAT.
Input ACL - IPsec-Outside¶
Configure an ACL, named ipsec-outside
, to permit three (3) types of
IPsec traffic:
IP Protocol UDP; Destination Port 500: IKEv2 Message Exchange
IP Protocol UDP; Destination Port 4500: NAT-T floats IPsec to UDP 4500
acl ipsec-outside
rule 11
desc Permit ESP
action permit
ip-version ipv4
source address 198.51.100.120/32
protocol 50
exit
rule 12
desc IKEv2 - UDP 500
action permit
ip-version ipv4
source address 198.51.100.120/32
protocol udp
destination port 500
exit
rule 12
desc IPsec with NAT-T - UDP 4500
action permit
ip-version ipv4
source address 198.51.100.120/32
protocol udp
destination port 4500
exit
exit
# Apply ACL to interface Access-List
interface outside
access-list input acl ipsec-outside sequence 20
exit