Step 4: Protect the WAN Interface with ACLs¶
Before proceeding with the VPN IPsec site-to-site tunnel, it is critical to apply Access Control Lists (ACLs) to the WAN interface.
The reason being, if the WAN interface is exposed to the internet, it will
be frequently probed by bots attempting to login using weak credentials. This
can be seen by inspecting lastb
from the root
user:
$ sudo lastb | head -100
Multiple ACLs can be applied to an input or output queue on an interface, as ordered by sequence. This offers a modular and scalable approach to ACLs for a given interface.
Output ACL - Reflect¶
The reflect ACL is a special action that permits output traffic and also permits the return, or input, traffic to match the IP flow.
Create an ACL named outbound-reflect
and apply it:
acl outbound-reflect
rule 5
desc reflect permit outbound traffic AND permit return traffic on input
action reflect
ip-version ipv4
exit
exit
#
# Apply to interface as output ACL
interface WAN
access-list output acl outbound-reflect sequence 10
exit
Input ACL - DHCP Response¶
If using dhcp client ipv4
on the WAN interface, be sure to permit DHCP
responses on destination port UDP 68
by creating an ACL named dhcp-wan
and applying it:
acl dhcp-wan
rule 1
desc DHCP Response to client on WAN interface
action permit
ip-version ipv4
protocol udp
source port 67
destination port 68
exit
exit
#
# Apply ACL to interface Access-List
interface WAN
access-list input acl dhcp-wan sequence 5
exit
Input ACL - SSH-WAN¶
To only permit inbound SSH access from specified IP hosts, create an ACL rule
named ssh-WAN
and apply it. In this example, rule 221 permits a block of
IP addresses from corporate headquarters and rule 222 permits a single IP
address for assistance from a service provider:
acl ssh-WAN
rule 221
desc Allow SSH from HQ
action permit
ip-version ipv4
protocol tcp
destination port 22
source address 198.51.100.0/24
exit
rule 222
desc Allow SSH from service provider
action permit
ip-version ipv4
protocol tcp
destination port 22
source address 192.0.2.88/32
exit
exit
#
# Apply to WAN interface as input ACL
interface WAN
access-list input acl ssh-WAN sequence 10
exit
Then validate that only the specified IP addresses are able to SSH to the WAN IP address of TNSR.
Note
A NAT static mapping from WAN addresses to inside addresses on port 22
(SSH) may be required.
nat static mapping tcp local 172.21.89.1 22 external WAN 22 out-to-in-only
NAT port forwarding is covered in Step 6: Port Forwarding with NAT.
Input ACL - IPsec-WAN¶
Configure an ACL, named ipsec-WAN
, to permit three (3) types of
IPsec traffic:
IP Protocol UDP; Destination Port 500: IKEv2 Message Exchange
IP Protocol UDP; Destination Port 4500: NAT-T floats IPsec to UDP 4500
acl ipsec-WAN
rule 11
desc Permit ESP
action permit
ip-version ipv4
source address 198.51.100.120/32
protocol 50
exit
rule 12
desc IKEv2 - UDP 500
action permit
ip-version ipv4
source address 198.51.100.120/32
protocol udp
destination port 500
exit
rule 12
desc IPsec with NAT-T - UDP 4500
action permit
ip-version ipv4
source address 198.51.100.120/32
protocol udp
destination port 4500
exit
exit
# Apply ACL to interface Access-List
interface WAN
access-list input acl ipsec-WAN sequence 20
exit