labunix's blog

labunixのラボUnix

Cisco892Jを単なるL3ルータにしてSyslog転送、ACLログを出力

■Cisco892Jを単なるL3ルータにしてSyslog転送、ACLログを出力
 やっぱりログが出ると何かと便利です。
 以下の代替品として、VLANを使わない設定にします。
 ※今回はCisco892JでのNAT設定はしません。

 Fortigate-80Cでポート転送(NAT)を設定してみる。
 http://labunix.hateblo.jp/entry/20150222/1424613472

■「Fe8(LAN)->Ge0(WAN)」でL3設定をする。
 「Fe0~Fe7」まではL2 SW固定なので。。。

# configure terminal
interface FastEthernet8
 ip address 172.31.31.252 255.255.255.0
 shutdown
interface GigabitEthernet0
 ip address 192.168.1.252 255.255.255.248
 shutdown
 exit
 ip route 172.31.31.0 255.255.255.0 172.31.31.254 
 ip route 0.0.0.0 0.0.0.0 192.168.1.254
 end

■疎通確認の準備が出来たら、インターフェイスを管理アップ

# configure terminal
interface FastEthernet8
 no shutdown
interface GigabitEthernet0
 no shutdown
 end

■NTPサーバの設定
 「Internal」側からの同期設定をする機会は少ないかも知れない。
 一応前振り。

# configure terminal
ntp server 172.31.31.254
 exit
 show ntp associations 
 show ntp status
 show ntp information
 show ntp packets 


  address         ref clock       st   when   poll reach  delay  offset   disp
 ~172.31.31.254   .INIT.          16     60     64     0  0.000   0.000 15937.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**21
ntp uptime is 47700 (1/100 of seconds), resolution is 4000
reference time is D915A40D.DCCDED51 (15:15:25.862 UTC Sun May 31 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 108 sec ago.

Ntp Software Name       :  Cisco-ntpv4 
Ntp Software Version    :  Cisco-ntpv4-1.0 
Ntp Software Vendor     :  CISCO 
Ntp System Type         :  Cisco IOS / MPC8300 

Ntp In packets                  :  10 
Ntp Out packets                 :  20 
Ntp bad version packets         :  0 
Ntp protocol error packets      :  0 

■Syslog転送先(rsyslog.conf)の設定

$ grep -A 1 "172.31.31.252\|imudp" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
--
:fromhost-ip, isequal, "172.31.31.252" /var/log/Cisco892J.log
& ~

$ sudo /etc/init.d/rsyslog restart

■Cisco892J、Syslog転送元設定

# configure terminal
logging 172.31.31.254
 logging source-interface fastEthernet 8
 end

■「configure terminal」と「end」を3回ほど繰り替えしてsyslog転送が出来ていることを確認

$ sudo tail -f /var/log/Cisco892J.log 
Jun  1 00:24:11 172.31.31.252 69: May 31 15:24:10.802: %SYS-5-CONFIG_I: Configured from console by console
Jun  1 00:25:31 172.31.31.252 70: May 31 15:25:30.835: %SYS-5-CONFIG_I: Configured from console by console
Jun  1 00:25:44 172.31.31.252 71: May 31 15:25:43.531: %SYS-5-CONFIG_I: Configured from console by console

■Telnetを許可

#configure terminal 
 username labunix password XXXXXXXX
 line vty 0 4
 transport input telnet
 login local
 end

■Telnetのみに制限してログを取得

# configure terminal
access-list 100 permit tcp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq 23 log telnetlog
access-list 100 deny tcp any any log deny-log
interface fastEthernet 8
 ip access-group 100 in
 end

■Telnetログインしてみる。

$ telnet 172.31.31.252
Trying 172.31.31.252...
Connected to 172.31.31.252.
Escape character is '^]'.

User Access Verification

Username: labunix
Password: 
Router>

■Syslog転送されたログを確認
 コンソールに表示されてから約5秒後

$ sudo tail -f /var/log/Cisco892J.log | sed -e 's/ list 100/\n&/g'
Jun  1 00:49:02 172.31.31.252 98: .May 31 15:49:01.435: %SEC-6-IPACCESSLOGP:
 list 100 permitted tcp 172.31.31.254(36515) -> 172.31.31.252(23), 1 packet  [telnetlog]

■例えばメール送信ポートはブロックされること。

$ telnet 172.31.31.252 25
Trying 172.31.31.252...
telnet: Unable to connect to remote host: No route to host

$ sudo tail -f /var/log/Cisco892J.log | sed -e 's/ list 100/\n&/g'
Jun  1 00:49:46 172.31.31.252 99: .May 31 15:49:45.804: %SEC-6-IPACCESSLOGP:
 list 100 denied tcp 172.31.31.254(40585) -> 172.31.31.252(25), 1 packet  [deny-log]

■icmpのようにログを指定していない暗黙のdenyについてはブロックされてログが出ないこと。

$ ping -c 3 172.31.31.252
PING 172.31.31.252 (172.31.31.252) 56(84) bytes of data.
From 172.31.31.252 icmp_seq=1 Packet filtered
From 172.31.31.252 icmp_seq=2 Packet filtered
From 172.31.31.252 icmp_seq=3 Packet filtered

--- 172.31.31.252 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000ms

■パケットキャプチャで不要な通信を待って止める。
 例えばCDPパケットが流れる。

$ sudo tcpdump -i eth2 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
00:59:26.834816 CDPv2, ttl: 180s, Device-ID 'Router', length 351

■CDPパケットを止める。

# configure terminal
no cdp run

■VLAN自体も止めますか。

# configure terminal
no spanning-tree vlan 1
interface vlan 1
 shutdown
 end

■Syslog転送ではないUDPもログを出しましょう。
 ついでにlogの名前も変えるので、「15」にする必要は無いけど、一応。

# configure terminal
ip access-list extended 100
 15 deny udp any any log deny-udp
 no 20
 20 deny tcp any any log deny-tcp
 end

#show access-lists 100
Extended IP access list 100
    10 permit tcp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq telnet log (102 matches) (tag = telnetlog)
    15 deny udp any any log (tag = deny-udp)
    20 deny tcp any any log (tag = deny-tcp)

■Internal側のNTPリプライがブロックされ、ログに載ったので除外します。

$ sudo tail -f /var/log/Cisco892J.log | sed -e 's/ list 100/\n&/g'
Jun  1 01:13:04 172.31.31.252 109: .May 31 16:13:03.880: %SEC-6-IPACCESSLOGP:
 list 100 denied udp 172.31.31.254(123) -> 172.31.31.252(123), 1 packet  [deny-udp]

# configure terminal
ip access-list extended 100
 no 15
 no 20
 20 permit udp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq 123
 30 permit udp 172.31.31.0 0.0.0.255 eq 123  host 172.31.31.252 eq 123
 40 deny tcp any any log deny-tcp
 50 deny udp any any log deny-udp
 end

#show access-lists 100
Extended IP access list 100
    10 permit tcp 172.31.31.232 0.0.0.16 gt 1023 host 172.31.31.252 eq telnet log (tag = telnetlog)
    20 permit udp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq ntp
    25 permit udp 172.31.31.0 0.0.0.255 host 172.31.31.252 eq ntp
    30 deny tcp any any log (tag = deny-tcp)
    40 permit icmp 172.31.31.0 0.0.0.255 172.31.31.0 0.0.0.255 (10 matches)
    50 deny udp any any log (3 matches) (tag = deny-udp)

■出力方向についても制限しましょう。
 拡張ACLである必要は無く、基本ACLで良い気がしますが、スルーします。

# configure terminal 
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 23
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 25
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 53
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 80
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 443
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 3128
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 8080
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 53
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 123
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 161
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 162
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 514
access-list 101 permit icmp 172.31.31.0 0.0.0.255 172.31.31.0 0.0.0.255
access-list 101 deny   icmp
access-list 101 deny   ip any any log deny-out
interface fastEthernet 8
 ip access-group 101 out
 end

■同一セグメントのICMPは許可しましょう。
 今日はここまで。

# configure terminal
ip access-list extended 100
 no 40
 exit
 access-list 100 permit icmp 172.31.31.0 0.0.0.255 172.31.31.0 0.0.0.255
 access-list 100 deny udp any any log deny-udp
 end

#ping 172.31.31.254   
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.31.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

$ ping -c 3 172.31.31.252
PING 172.31.31.252 (172.31.31.252) 56(84) bytes of data.
64 bytes from 172.31.31.252: icmp_req=1 ttl=255 time=0.410 ms
64 bytes from 172.31.31.252: icmp_req=2 ttl=255 time=0.407 ms
64 bytes from 172.31.31.252: icmp_req=3 ttl=255 time=0.402 ms

--- 172.31.31.252 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.402/0.406/0.410/0.016 ms