I've got a NetVanta 3450. Pretty basic setup, with a web server and other things on the internal network. It was originally configured with the firewall wizard, so I've got the "public" and "private" security zones set up.
Today I had a problem with someone from the outside repeatedly submitting a form on my website attempting a SQL injection. I know I could block him in the script for the form submission, but thought it would be easy just to add a filter rule to the router. I found that I couldn't get that to work at all.
In the "public" zone, I tried creating a "Filter" policy specifying the exact source IP address 113.23.8.217/255.255.255.255 and when that failed, I tried setting to a whole subnet like 113.23.0.0/255.255.0.0. That didn't work.
(Each time I created a policy, I did move it to the top of the list of all my policies)
After that didn't work, I tried creating an "Advanced" policy, using "Discard" as the action, and specifying both the IP and the sub in the Traffic Selector. Not being sure, I even tried with the traffic selector set to Type "Deny" and "Permit".
I tried creating the filters in the "Private" zone, although I'm pretty sure that's not right.
What am I doing wrong? How do I block a certain address from getting into my web server (or anything else for that matter)?
Any help would be greatly appreciated. Thanks!
That sounds more like an open connection issue. When you create firewall rules or policies, the new rules do not affect connections that are already open through the firewall. An open TCP connection on port 80 (http) would stay open until the connection itself times out (10 minutes by default on Adtran) or the connections are reset. Thus when you click a link to open a new page, this creates a new connection that is blocked by the now in place rule but the open connection from the original page remains.
If you go to Security->Dashboard, you can see statistics for open connections. You should be able to manually reset your open connections after you change a rule, but I don't see where to do it in the GUI. I don't typically use the GUI but in the CLI you can issue "clear ip policy-sessions" and it will reset any connections open through the router.
Can you post the CLI configuration of your ACL's, public policy and private policy?
I just posted an update right when you posted your config. I'll take a look and repost. Thanks.
Message was edited by: petersjncv
Hopefully this is what you want. This is the entire config. If you need anything else, please give me some instrucs on how to get it.
!
! ADTRAN, Inc. OS version 17.08.03.01.E
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3450, part number 1200823G1
! Serial number LBADTN0929AH011
!
!
hostname "NV3450"
enable password XXXXXX
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
!
!
ip domain-proxy
!
!
no auto-config
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "administrator" password "XXXXXX"
username "admin" password "XXXXXX"
username "vpnuser" password "XXXXXX"
username "remotevpn" password "XXXXXX"
username "vpnaccess" password "XXXXXX"
!
#
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
aaa on
ftp authentication LoginUseLocalUsers
!
!
aaa authentication login LoginUseTacacs group tacacs+
aaa authentication login LoginUseRadius group radius
aaa authentication login LoginUseLocalUsers local
aaa authentication login LoginUseLinePass line
!
aaa authentication enable default enable
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
ip crypto
!
crypto ike client configuration pool RemoteCS
!
crypto ike policy 100
no initiate
respond anymode
local-id address 10.0.0.16
peer any
client configuration pool RemoteCS
attribute 1
hash md5
authentication pre-share
attribute 2
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id fqdn 65.103.165.0 preshared-key XXXXXXXXXXXXXXX ike-policy 100 no-mode-config no-xauth
crypto ike remote-id any preshared-key XXXXXXXXXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description Retail 2
match address VPN-10-vpn-selectors
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
!
no ethernet cfm
interface eth 0/1
description Local
ip address 10.0.0.16 255.255.0.0
ip address 10.100.0.1 255.255.255.0 secondary
ip address 192.168.168.1 255.255.255.0 secondary
access-policy Private
media-gateway ip primary
no shutdown
!
!
interface eth 0/2
description Fiber
ip address XXX.XX.XXX.61 255.255.255.0
ip address range XXX.XX.XXX.46 XXX.XX.XXX.54 255.255.255.0 secondary
ip address XXX.XX.XXX.56 255.255.255.0 secondary
ip address range XXX.XX.XXX.58 XXX.XX.XXX.60 255.255.255.0 secondary
access-policy Public
crypto map VPN
no awcp
no shutdown
!
!
!
!
ip access-list standard wizard-ics
remark NAT list wizard-ics
deny 10.0.10.0 0.0.0.255 log
permit 10.0.5.0 0.0.0.255 log
permit 10.0.15.0 0.0.0.255 log
permit host 10.0.0.135 log
permit 10.0.11.0 0.0.0.255 log
permit 192.168.168.0 0.0.0.255 log
deny any
!
!
ip access-list extended VPN-10-vpn-selectors
permit ip 10.0.0.0 0.0.255.255 192.168.141.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 10.140.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 10.1.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 10.2.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 10.13.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 10.15.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 10.12.0.0 0.0.255.255
!
ip access-list extended web-acl-10
remark .52:web -> .40 store/referee/eflyer
permit tcp any host XXX.XX.XXX.52 eq www log
permit tcp any host XXX.XX.XXX.52 eq https log
permit tcp any host XXX.XX.XXX.52 eq 2121 log
!
ip access-list extended web-acl-11
remark .46/48:25 -> .9 Barracuda In
permit tcp any host XXX.XX.XXX.46 eq smtp log
permit tcp any host XXX.XX.XXX.48 eq smtp log
!
ip access-list extended web-acl-12
remark .51:13389 ->.49 remote for Alan
permit tcp any host XXX.XX.XXX.51 eq 13389 log
!
ip access-list extended web-acl-13
remark .51:22600 -> .252 Camera Server
permit tcp any host XXX.XX.XXX.51 range 22600 22620 log
permit udp any host XXX.XX.XXX.51 range 22600 22620 log
ip access-list extended web-acl-14
remark .51:13289 -> .34 Jill Remote Access
permit tcp any host XXX.XX.XXX.51 eq 13289 log
!
ip access-list extended web-acl-16
remark Email Outbound
deny ip host 10.0.0.12 any log
deny ip host 10.0.0.26 any log
permit ip host 10.0.0.35 any log
permit ip host 10.0.0.11 any log
!
ip access-list extended web-acl-17
remark ArgoRelay Out
permit ip host 10.0.0.2 any log
!
ip access-list extended web-acl-18
remark .59:XXXXX ->.28 Into My PC
permit tcp any host XXX.XX.XXX.59 eq XXXXX log
!
ip access-list extended web-acl-19
remark .53:80 -> .38 Eflyer Redirect ADDED
permit tcp any host XXX.XX.XXX.53 eq www log
ip access-list extended web-acl-20
remark Exchange Outbound
permit ip host 10.0.0.12 any log
permit ip host 10.0.0.26 any log
permit ip host 10.0.5.20 any log
permit ip 10.0.85.0 0.0.0.255 any log
permit ip host 10.0.11.172 any log
permit ip host 10.0.11.173 any log
permit ip host 10.0.11.180 any log
permit ip host 10.0.11.181 any log
!
ip access-list extended web-acl-21
remark .60:80 -> 11.172 Ex2003 FE
permit tcp any host XXX.XX.XXX.60 eq www log
permit tcp any host XXX.XX.XXX.60 eq https log
permit tcp any host XXX.XX.XXX.60 eq pop3 log
permit tcp any host XXX.XX.XXX.60 eq 143 log
!
ip access-list extended web-acl-22
remark .46:9925 -> .5.101 Open SMTP
permit tcp any host XXX.XX.XXX.46 eq 9925 log
deny tcp any host XXX.XX.XXX.46 eq 465 log
ip access-list extended web-acl-23
remark .47:web -> .11.180 Exch MOBILE
permit tcp any host XXX.XX.XXX.47 eq www log
permit tcp any host XXX.XX.XXX.47 eq https log
permit tcp any host XXX.XX.XXX.47 eq 143 log
permit tcp any host XXX.XX.XXX.47 eq pop3 log
!
ip access-list extended web-acl-24
remark .51:13391 ->.7.10 remote for Island
permit tcp any host XXX.XX.XXX.51 eq 13391 log
!
ip access-list extended web-acl-26
remark Allow 80 & 443 On 10.0.10.x Wkstns
permit tcp 10.0.10.0 0.0.0.255 any eq www log
permit tcp 10.0.10.0 0.0.0.255 any eq https log
permit tcp 10.0.10.0 0.0.0.255 any eq 2525 log
!
ip access-list extended web-acl-27
remark IT out on .52
permit ip 10.0.11.0 0.0.0.255 any log
permit ip host 10.0.188.231 any log
permit ip host 10.0.0.231 any log
permit ip 10.100.0.0 0.0.0.255 any log
permit ip host 10.0.0.9 any log
permit ip host 10.0.0.6 any log
permit ip 10.0.85.0 0.0.0.255 any log
permit tcp host 10.0.0.32 any log
permit ip host 10.0.7.10 any log
permit ip host 10.0.0.223 any log
permit ip host 10.0.0.31 any log
!
ip access-list extended web-acl-28
remark .51:13988 -> .244 Phil Remote
permit tcp any host XXX.XX.XXX.51 eq 13988 log
!
ip access-list extended web-acl-29
remark .59 BRYAN STT into MAS
deny tcp any host XXX.XX.XXX.59 eq 13389 log
!
ip access-list extended web-acl-30
remark Kill Hack Attempt
permit ip host 113.23.8.217 any
!
ip access-list extended web-acl-31
remark Hacks
permit ip 212.92.0.0 0.0.255.255 any
!
ip access-list extended web-acl-32
remark .46 -> 11.172 WEBMAIL 03CAS
permit tcp any host XXX.XX.XXX.46 eq www log
permit tcp any host XXX.XX.XXX.46 eq https log
permit tcp any host XXX.XX.XXX.46 eq 143 log
permit tcp any host XXX.XX.XXX.46 eq pop3 log
!
ip access-list extended web-acl-33
remark CS .59 Inbound
deny tcp any host XXX.XX.XXX.59 eq www log
permit tcp any host XXX.XX.XXX.59 range 29000 29050 log
permit udp any host XXX.XX.XXX.59 range 29000 29050 log
!
ip access-list extended web-acl-34
remark CS .59 out
permit ip host 10.0.85.170 any log
!
ip access-list extended web-acl-35
remark E-Vault Outbound
permit tcp any any eq 2547 log
permit tcp any any eq 12547 log
permit tcp any any eq 2546 log
permit tcp any any eq 807 log
permit tcp any any range 8086 8089 log
permit tcp any any eq 9997 log
!
ip access-list extended web-acl-37
remark NamesNumbersForm
permit ip 96.47.224.0 0.0.0.255 any
!
ip access-list extended web-acl-39
remark NamesNumsProblem
deny ip host 113.23.8.217 any log
!
ip access-list extended web-acl-40
remark NameNumHck
permit ip 113.23.0.0 0.0.255.255 any
!
ip access-list extended web-acl-43
remark IP Phone PF
permit ip any host XXX.XX.XXX.58 log
!
ip access-list extended web-acl-45
remark .54 -> .37 image.TGE.com
permit tcp any host XXX.XX.XXX.54 eq www log
!
ip access-list extended web-acl-47
remark Cell Relay Outbound
permit ip host 10.0.5.101 any log
!
ip access-list extended web-acl-5
remark .46:80,143 -> .12 Email WEBMAIL
permit tcp any host XXX.XX.XXX.46 eq www log
permit tcp any host XXX.XX.XXX.46 eq 143 log
permit tcp any host XXX.XX.XXX.46 eq pop3 log
!
ip access-list extended web-acl-6
remark .48:53 -> .251 DNS -> VServer
permit tcp any host XXX.XX.XXX.48 eq domain log
permit udp any host XXX.XX.XXX.48 eq domain log
!
ip access-list extended web-acl-7
remark .49:80,443,21 -> .35 Mainweb - www.XXX.com
permit tcp any host XXX.XX.XXX.49 eq www log
permit tcp any host XXX.XX.XXX.49 eq https log
permit tcp any host XXX.XX.XXX.49 eq 2121 log
!
ip access-list extended web-acl-8
remark .50:80 -> .36 art/designs/remote
permit tcp any host XXX.XX.XXX.50 eq www log
permit tcp any host XXX.XX.XXX.50 eq 2121 log
!
ip access-list extended web-acl-9
remark .51:80,443 -> .39 XXXX.com
permit tcp any host XXX.XX.XXX.51 eq www log
permit tcp any host XXX.XX.XXX.51 eq https log
!
!
ip policy-class Private
discard list web-acl-40
allow list VPN-10-vpn-selectors stateless
nat source list web-acl-47 address XXX.XX.XXX.59 overload
nat source list web-acl-35 address XXX.XX.XXX.52 overload
nat source list web-acl-20 address XXX.XX.XXX.48 overload
nat source list web-acl-27 address XXX.XX.XXX.52 overload
nat source list web-acl-34 address XXX.XX.XXX.59 overload
nat source list web-acl-16 address XXX.XX.XXX.46 overload
nat source list web-acl-17 address XXX.XX.XXX.46 overload
nat source list web-acl-26 address XXX.XX.XXX.51 overload
nat source list wizard-ics address XXX.XX.XXX.51 overload
!
ip policy-class Public
discard list web-acl-39
discard list web-acl-30
discard list web-acl-37
discard list web-acl-31
allow reverse list VPN-10-vpn-selectors stateless
nat destination list web-acl-19 address 10.0.0.40
nat destination list web-acl-32 address 10.0.11.180
nat destination list web-acl-5 address 10.0.0.12
nat destination list web-acl-6 address 10.0.0.11
nat destination list web-acl-7 address 10.0.0.35
nat destination list web-acl-8 address 10.0.0.36
nat destination list web-acl-9 address 10.0.0.39
nat destination list web-acl-10 address 10.0.0.40
nat destination list web-acl-11 address 10.0.0.9
nat destination list web-acl-12 address 10.0.10.35 port 3389
nat destination list web-acl-13 address 10.0.0.252
nat destination list web-acl-14 address 10.0.0.34 port 3389
nat destination list web-acl-18 address 10.0.11.28 port 3389
nat destination list web-acl-21 address 10.0.11.172
nat destination list web-acl-22 address 10.0.5.101
nat destination list web-acl-23 address 10.0.11.180
nat destination list web-acl-24 address 10.0.7.10 port 3389
nat destination list web-acl-28 address 10.0.0.244 port 3389
nat destination list web-acl-29 address 10.0.188.231 port 5900
nat destination list web-acl-33 address 10.0.85.170
nat destination list web-acl-43 address 10.0.0.233
nat destination list web-acl-45 address 10.0.0.37
!
!
!
ip route 0.0.0.0 0.0.0.0 XXX.XX.XXX.1
!
no ip tftp server
no ip tftp server overwrite
ip http authentication LoginUseLocalUsers
ip http server
ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
line con 0
login authentication LoginUseLinePass
!
line telnet 0 4
login authentication LoginUseLinePass
password XXXXXX
no shutdown
line ssh 0 4
login authentication LoginUseLocalUsers
no shutdown
!
!
!
!
!
Your ACL's are correct. I believe you need to simply apply the lists to "self" in the policy. Applying "self" should "Discard packets permitted by ACL and destined for any local interface".
ip policy-class Public
discard list web-acl-39 self
discard list web-acl-30 self
discard list web-acl-37 self
discard list web-acl-31 self
allow reverse list VPN-10-vpn-selectors stateless
nat destination list web-acl-19 address 10.0.0.40
nat destination list web-acl-32 address 10.0.11.180
Any chance you can tell me how to accomplish the same thing through the GUI web-interface? I'm not very good with using (or even understanding) the CLI. I do everything in the GUI.
Ok... What I think you need to do is go to Firewall -> Security Zones. Under "Edit Security Zones", click on your Public policy. Under the Configure policy screen, click on the name of the list you want to edit (should show as "discard list web-acl-39"... etc...). In the next edit screen that comes up, change "Destination Security Zone" to "self bound".
Wash, rinse, and repeat for the other policies/lists you have setup.
petersjncv, thanks for all the help so far. Your information has been helpful, and allowed me to do some more testing, and I have learned some new things regarding this. The problem is not completely solved yet, in part because my understanding of the problem was not exactly correct.
I did set the "Destination Security Zone" to "Self Bound", and it worked. The IP was blocked. However, switching it back to "Any Security Zone" also effectively block the remote IP. (This is all in the "Advanced" policy). So I went back, and set up just a simple "Filter" policy, and that as well worked (blocked the IP). It appears that all the things I thought were not working when I made this post are, in fact, working correctly.
Digging into this further, from the remote IP, with it not being blocked, I open Internet Explorer and open a website that is internal to my network. Page comes up fine.
Next I add a normal "Filter" policy to my Public security zone. From the remote IP, I can click links and continue to browse around the website on my internal network, appearing that the specified IP is NOT being blocked/filtered.
However, if at the remote IP I happen to click a link that opens a new browser window, then the connection is lost and IE says "can't display the page" and I find I can no longer get to the site through the NetVanta.
I have confirmed that this behavior is not due to browser cache or anything else on the client side. I've also confirmed that the behavior is the same whether I use a "filter" policy, or an "advanced" policy with destination set to "Any" or "self".
Once IE makes a connection through the NetVanta, it appears to be able to keep that connection alive even though a filter is added in the NetVanta for that remote IP.
This also explains the reason I made the original post. The person/script attempting to hack one of our sites was able to keep the connection alive, so even though I had created filters in various ways, they were able to maintain their connection through the firewall.
So my original question, had I known this, should have been something more like "How do I stop an active intrusion attempt from a remote IP at the time it's going on?". Or maybe "How do I stop an active connection through my router?". I don't know the right way to ask, but I hope this makes sense, it would be good to know how to do.
Thanks!
That sounds more like an open connection issue. When you create firewall rules or policies, the new rules do not affect connections that are already open through the firewall. An open TCP connection on port 80 (http) would stay open until the connection itself times out (10 minutes by default on Adtran) or the connections are reset. Thus when you click a link to open a new page, this creates a new connection that is blocked by the now in place rule but the open connection from the original page remains.
If you go to Security->Dashboard, you can see statistics for open connections. You should be able to manually reset your open connections after you change a rule, but I don't see where to do it in the GUI. I don't typically use the GUI but in the CLI you can issue "clear ip policy-sessions" and it will reset any connections open through the router.
Thank you!
If I create a firewall rule, can I just block certain IP's as well? Thru GUI or CLI?