Seeing no discussion on this, and no useable examples from any source, I thought I would share -a- way of doing this. This hasn’t stood scrutiny of inspectors, but it does what the Security Technical Implementation Guides (STIG) states:
“Review the external and internal Access Control List (ACL)s to verify that the router is configured to only allow specific management and control plane traffic from specific sources destined to itself.”
Which I read to mean that for each interface, there will be an ACL, and for traffic destined specifically to that interface, there should be filters. Doing this per interface is fairly unwieldy, so I am taking advantage of the Cisco object groups to make this less of a pain. Instead of a custom ACL per interface, I can make a widely reusable ACL and I only have to create the Object group unique per router.
To start, define the addresses assigned to the router:
#object-group network This_Router
#host x.x.x.x
#host (each address on your router)
This will contain host statements of each address on this particular router, you can use “show ip int br” to get this.
You will also need object groups for management networks, voice networks (if your router has a voice gateway that requires devices to talk directly to this router), scanning networks, and other sources that need to directly talk to the router. You also need an object group for your entire allocation for pass through traffic. From this, you can build a decently manageable ACL:
!
!
ip access-list extended STIG_RT000130
permit tcp object-group Management_Networks eq 179 object-group This_Router (routing)
permit tcp object-group Management_Networks eq 49 object-group This_Router (TACACS)
permit tcp object-group Management_Networks eq 22 object-group This_Router (SSH)
permit tcp object-group Management_Networks eq 1812 object-group This_Router (Radius)
permit tcp object-group Management_Networks eq 1813 object-group This_Router (Radius)
permit udp object-group Management_Networks eq 123 object-group This_Router (NTP)
permit udp object-group Management_Networks eq 161 object-group This_Router (SNMP)
permit tcp object-group Scanning_Servers object-group This_Router
permit udp object-group Scanning_Servers object-group This_Router
deny icmp any object-group This_Router fragments log-input (For STIG CISC-RT-000140)
permit icmp object-group Allocated_Networks any (Permits internal networks to ping gateways)
deny icmp any any log-input
deny ip any object-group This_Router log-input (this is where you deny anything not explicitly permitted fulfilling the STIG RT000130 requirement)
permit ip any object-group Allocated_Networks (permit flow through traffic)
permit ip object-group Allocated_Networks any (permit flow through traffic)
permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67 (permit DHCP requests to pass through)
deny ip any any log-input (STIG requires that all ACL conclude with this)
!
!
To test this you can put a “permit ip any object-group This_Router log-input” right above the “deny ip any object-group This_Router log-input” statement to safely capture what is triggering that rule (using show log or wherever your logs go), evaluate if you need it, and add it to the ACL if so.
A real ACL will be larger than the example and will include rules specific to your environment. You will also have to stuff other STIGs in this (like STIG CISC-RT-000140 in the example) since you can only have one ACL per interface in a given direction (eg ‘in’ which this STIG requires “ip access-group STIG_RT000130 in”)
Don’t forget to remove the ACL from your interface(s) (particularly the one you manage through) before modifying the ACL or you could block yourself since an empty ACL would be deny any any. Best to do these things after hours and start a session with “reload in 60” without writing the configuration so if this does happen, you don’t interrupt people working and the router will go back to what it was before the ACL when the reload happens.