Step 4: Protect the WAN Interface with ACLs¶
Before proceeding with the VPN IPsec site-to-site tunnel, it is critical to apply Access Control Lists (ACLs) to the WAN interface.
The reason being, if the WAN interface is exposed to the internet, it will
be frequently probed by bots attempting to login using weak credentials. This
can be seen by inspecting
lastb from the
$ sudo lastb | head -100
Multiple ACLs can be applied to an input or output queue on an interface, as ordered by sequence. This offers a modular and scalable approach to ACLs for a given interface.
Output ACL - Reflect¶
The reflect ACL is a special action that permits output traffic and also permits the return, or input, traffic to match the IP flow.
Create an ACL named
outbound-reflect and apply it:
acl outbound-reflect rule 5 desc reflect permit outbound traffic AND permit return traffic on input action reflect ip-version ipv4 exit exit # # Apply to interface as output ACL interface WAN access-list output acl outbound-reflect sequence 10 exit
Input ACL - DHCP Response¶
dhcp client ipv4 on the WAN interface, be sure to permit DHCP
responses on destination port UDP
68 by creating an ACL named
and applying it:
acl dhcp-wan rule 1 desc DHCP Response to client on WAN interface action permit ip-version ipv4 protocol udp source port 67 destination port 68 exit exit # # Apply ACL to interface Access-List interface WAN access-list input acl dhcp-wan sequence 5 exit
Input ACL - SSH-WAN¶
To only permit inbound SSH access from specified IP hosts, create an ACL rule
ssh-WAN and apply it. In this example, rule 221 permits a block of
IP addresses from corporate headquarters and rule 222 permits a single IP
address for assistance from a service provider:
acl ssh-WAN rule 221 desc Allow SSH from HQ action permit ip-version ipv4 protocol tcp destination port 22 source address 198.51.100.0/24 exit rule 222 desc Allow SSH from service provider action permit ip-version ipv4 protocol tcp destination port 22 source address 192.0.2.88/32 exit exit # # Apply to WAN interface as input ACL interface WAN access-list input acl ssh-WAN sequence 10 exit
Then validate that only the specified IP addresses are able to SSH to the WAN IP address of TNSR.
A NAT static mapping from WAN addresses to inside addresses on port
(SSH) may be required.
nat static mapping tcp local 172.21.89.1 22 external WAN 22 out-to-in-only
NAT port forwarding is covered in Step 6: Port Forwarding with NAT.
Input ACL - IPsec-WAN¶
Configure an ACL, named
ipsec-WAN, to permit three (3) types of
IP Protocol UDP; Destination Port 500: IKEv2 Message Exchange
IP Protocol UDP; Destination Port 4500: NAT-T floats IPsec to UDP 4500
acl ipsec-WAN rule 11 desc Permit ESP action permit ip-version ipv4 source address 198.51.100.120/32 protocol 50 exit rule 12 desc IKEv2 - UDP 500 action permit ip-version ipv4 source address 198.51.100.120/32 protocol udp destination port 500 exit rule 12 desc IPsec with NAT-T - UDP 4500 action permit ip-version ipv4 source address 198.51.100.120/32 protocol udp destination port 4500 exit exit # Apply ACL to interface Access-List interface WAN access-list input acl ipsec-WAN sequence 20 exit