Step 4: Protect the Outside Interface with ACLs¶
Before proceeding with the VPN IPsec site-to-site tunnel, it is critical to apply Access Control Lists (ACLs) to the outside interface.
The reason being, if the outside interface is exposed to the internet, it
will be frequently probed by bots attempting to login using weak credentials.
This can be seen by inspecting
lastb from the
sudo lastb | head -100
Multiple ACLs can be applied to an input or output queue on an interface, as ordered by sequence. This offers a modular and scalable approach to ACLs for a given interface.
Output ACL - Reflect¶
The reflect ACL is a special action that permits output traffic and also permits the return, or input, traffic to match the IP flow.
Create an ACL named
outbound-reflect and apply it:
acl outbound-reflect rule 5 desc reflect permit outbound traffic AND permit return traffic on input action reflect ip-version ipv4 exit exit # # Apply to interface as output ACL interface outside access-list output acl outbound-reflect sequence 10 exit
Input ACL - DHCP Response¶
dhcp client ipv4 on the outside interface, be sure to permit DHCP
responses on destination port UDP
68 by creating an ACL named
dhcp-outside and applying it:
acl dhcp-outside rule 1 desc DHCP Response to client on outside interface action permit ip-version ipv4 protocol udp source port 67 destination port 68 exit exit # # Apply ACL to interface Access-List interface outside access-list input acl dhcp-outside sequence 5 exit
Input ACL - SSH-Outside¶
To only permit inbound SSH access from specified IP hosts, create an ACL rule
ssh-outside and apply it. In this example, rule 221 permits a
block of IP addresses from corporate headquarters and rule 222 permits a
single IP address for assistance from a service provider:
acl ssh-outside rule 221 desc Allow SSH from HQ action permit ip-version ipv4 protocol tcp destination port 22 source address 198.51.100.0/24 exit rule 222 desc Allow SSH from service provider action permit ip-version ipv4 protocol tcp destination port 22 source address 192.0.2.88/32 exit exit # # Apply to outside interface as input ACL interface outside access-list input acl ssh-outside sequence 10 exit
Then validate that only the specified IP addresses are able to SSH to the outside IP address of TNSR.
A NAT static mapping from outside addresses to inside addresses on
22 (SSH) may be required.
nat static mapping tcp local 172.21.89.1 22 external outside 22 out-to-in-only
NAT port forwarding is covered in Step 6: Port Forwarding with NAT.
Input ACL - IPsec-Outside¶
Configure an ACL, named
ipsec-outside, to permit three (3) types of
IP Protocol UDP; Destination Port 500: IKEv2 Message Exchange
IP Protocol UDP; Destination Port 4500: NAT-T floats IPsec to UDP 4500
acl ipsec-outside rule 11 desc Permit ESP action permit ip-version ipv4 source address 198.51.100.120/32 protocol 50 exit rule 12 desc IKEv2 - UDP 500 action permit ip-version ipv4 source address 198.51.100.120/32 protocol udp destination port 500 exit rule 12 desc IPsec with NAT-T - UDP 4500 action permit ip-version ipv4 source address 198.51.100.120/32 protocol udp destination port 4500 exit exit # Apply ACL to interface Access-List interface outside access-list input acl ipsec-outside sequence 20 exit