Step 4: Protect the WAN Interface with ACLs

Before proceeding with the VPN IPsec site-to-site tunnel, it is critical to apply Access Control Lists (ACLs) to the WAN interface.

The reason being, if the WAN interface is exposed to the internet, it will be frequently probed by bots attempting to login using weak credentials. This can be seen by inspecting lastb from the root user:

$ sudo lastb | head -100

Multiple ACLs can be applied to an input or output queue on an interface, as ordered by sequence. This offers a modular and scalable approach to ACLs for a given interface.

Output ACL - Reflect

The reflect ACL is a special action that permits output traffic and also permits the return, or input, traffic to match the IP flow.

Create an ACL named outbound-reflect and apply it:

acl outbound-reflect
  rule 5
    desc reflect permit outbound traffic AND permit return traffic on input
    action reflect
    ip-version ipv4
    exit
  exit
#
# Apply to interface as output ACL
interface WAN
  access-list output acl outbound-reflect sequence 10
  exit

Input ACL - DHCP Response

If using dhcp client ipv4 on the WAN interface, be sure to permit DHCP responses on destination port UDP 68 by creating an ACL named dhcp-wan and applying it:

acl dhcp-wan
  rule 1
    desc DHCP Response to client on WAN interface
    action permit
    ip-version ipv4
    protocol udp
    source port 67
    destination port 68
    exit
  exit
#
# Apply ACL to interface Access-List
interface WAN
  access-list input acl dhcp-wan sequence 5
  exit

Input ACL - SSH-WAN

To only permit inbound SSH access from specified IP hosts, create an ACL rule named ssh-WAN and apply it. In this example, rule 221 permits a block of IP addresses from corporate headquarters and rule 222 permits a single IP address for assistance from a service provider:

acl ssh-WAN
  rule 221
    desc Allow SSH from HQ
    action permit
    ip-version ipv4
    protocol tcp
    destination port 22
    source address 198.51.100.0/24
    exit
  rule 222
    desc Allow SSH from service provider
    action permit
    ip-version ipv4
    protocol tcp
    destination port 22
    source address 192.0.2.88/32
    exit
  exit
#
# Apply to WAN interface as input ACL
interface WAN
  access-list input acl ssh-WAN sequence 10
  exit

Then validate that only the specified IP addresses are able to SSH to the WAN IP address of TNSR.

Note

A NAT static mapping from WAN addresses to inside addresses on port 22 (SSH) may be required.

nat static mapping tcp local 172.21.89.1 22 external WAN 22 out-to-in-only

NAT port forwarding is covered in Step 6: Port Forwarding with NAT.

Input ACL - IPsec-WAN

Configure an ACL, named ipsec-WAN, to permit three (3) types of IPsec traffic:

1. IP Protocol UDP; Destination Port 500: IKEv2 Message Exchange

2. IP Protocol UDP; Destination Port 4500: NAT-T floats IPsec to UDP 4500

acl ipsec-WAN
  rule 11
    desc Permit ESP
    action permit
    ip-version ipv4
    source address 198.51.100.120/32
    protocol 50
    exit
  rule 12
    desc IKEv2 - UDP 500
    action permit
    ip-version ipv4
    source address 198.51.100.120/32
    protocol udp
    destination port 500
    exit
  rule 12
    desc IPsec with NAT-T - UDP 4500
    action permit
    ip-version ipv4
    source address 198.51.100.120/32
    protocol udp
    destination port 4500
    exit
  exit
# Apply ACL to interface Access-List
interface WAN
  access-list input acl ipsec-WAN sequence 20
  exit