Step 4: Protect the Outside Interface with ACLs

Before proceeding with the VPN IPsec site-to-site tunnel, it is critical to apply Access Control Lists (ACLs) to the outside interface.

The reason being, if the outside interface is exposed to the internet, it will be frequently probed by bots attempting to login using weak credentials. This can be seen by inspecting lastb from the root user:

sudo lastb | head -100

Multiple ACLs can be applied to an input or output queue on an interface, as ordered by sequence. This offers a modular and scalable approach to ACLs for a given interface.

Output ACL - Reflect

The reflect ACL is a special action that permits output traffic and also permits the return, or input, traffic to match the IP flow.

Create an ACL named outbound-reflect and apply it:

acl outbound-reflect
  rule 5
    desc reflect permit outbound traffic AND permit return traffic on input
    action reflect
    ip-version ipv4
    exit
  exit
#
# Apply to interface as output ACL
interface outside
  access-list output acl outbound-reflect sequence 10
  exit

Input ACL - DHCP Response

If using dhcp client ipv4 on the outside interface, be sure to permit DHCP responses on destination port UDP 68 by creating an ACL named dhcp-outside and applying it:

acl dhcp-outside
  rule 1
    desc DHCP Response to client on outside interface
    action permit
    ip-version ipv4
    protocol udp
    destination port 68
    exit
  exit
#
# Apply ACL to interface Access-List
interface outside
  access-list input acl dhcp-outside sequence 5
  exit

Input ACL - SSH-Outside

To only permit inbound SSH access from specified IP hosts, create an ACL rule named ssh-outside and apply it. In this example, rule 221 permits a block of IP addresses from corporate headquarters and rule 222 permits a single IP address for assistance from a service provider:

acl ssh-outside
  rule 221
    desc Allow SSH from HQ
    action permit
    ip-version ipv4
    protocol tcp
    destination port 22
    source address 198.51.100.0/24
    exit
  rule 222
    desc Allow SSH from service provider
    action permit
    ip-version ipv4
    protocol tcp
    destination port 22
    source address 192.0.2.88/32
    exit
  exit
#
# Apply to outside interface as input ACL
interface outside
  access-list input acl ssh-outside sequence 10
  exit

Then validate that only the specified IP addresses are able to SSH to the outside IP address of TNSR.

Note

A NAT static mapping from outside addresses to inside addresses on port 22 (SSH) may be required.

nat static mapping tcp local 172.21.89.1 22 external outside 22 out-to-in-only

NAT port forwarding is covered in Step 6: Port Forwarding with NAT.

Input ACL - IPsec-Outside

Configure an ACL, named ipsec-outside, to permit three (3) types of IPsec traffic:

  1. IP Protocol 50; Encapsulating Security Payload (ESP)

  2. IP Protocol UDP; Destination Port 500: IKEv2 Message Exchange

  3. IP Protocol UDP; Destination Port 4500: NAT-T (not supported in current TNSR release)

acl ipsec-outside
  rule 11
    desc Permit ESP
    action permit
    ip-version ipv4
    source address 198.51.100.120/32
    protocol 50
    exit
  rule 12
    desc Permit UDP500 - IKEv2
    action permit
    ip-version ipv4
    source address 198.51.100.120/32
    protocol udp
    destination port 500
    exit
  rule 13
    desc Permit UDP4500 - NAT-T Future
    action permit
    ip-version ipv4
    source address 198.51.100.120/32
    protocol udp
    destination port 4500
    exit
  exit
# Apply ACL to interface Access-List
interface outside
  access-list input acl ipsec-outside sequence 20
  exit