[Solved]How to whitelist ip's on EdgerouterX for PCI compliance?

[bbhaag]

So I want to say that I am by no means an expert in networking and I'm having an issue with PCI compliance using Trustwave and I was hoping some could help me with this. Trustwaves scan keeps failing us and according to this article I need to whitelist their ip's on our router in order for their scanner to complete. All our terminals are wired back to the Edge router so there is no wireless involved.

Here's what I have done but have not been successful.
1.Under firewall/nat groups I created a new group named trustwave and added the ip's listed in the article above.

2.Under firewall policies I created a new ruleset called trustwave. I set it as the first policy and to accept any action from the group trustwave.

From this point on I am lost. I keep trying to get the scan to pass but every time I get failed. Does anyone have any suggestions because I am lost.

 

[Carson Dyle]

n/m. I was assuming this was some type of limited access network, such as for a POS system. Is it just an office network?

 

[bbhaag]

It's not an office network. Our credit card terminals are connected to the router. We recently updated our terminals to be chip compliant(PCI compliant)and Trustwave wants to scan the network but I'm not sure how to whitelist their ips in the EdgerouterX gui. Here's the report that Trustwave sends me. I've edited out the important parts.

 

[ch33zw1z]

The first parts in the link indicate that removing the host and initiating a rescan may correct this issue. Have you already done that?

The reasoning is that customers (you) may not have statically assigned IP's from their ISP.

Next, how is the ER-X configured on the WAN side?

additional questions:

Is the ER-X new to the config?
did this ever work with the ER-X?

 

[PliotronX]

I've only ever added to WAN_LOCAL (guides state to use WAN_IN but that never seems to work). Also if on DSL, the destination interface needs to be pppoe0 rather than ethX.

 

[ch33zw1z]

I've only ever added to WAN_LOCAL (guides state to use WAN_IN but that never seems to work). Also if on DSL, the destination interface needs to be pppoe0 rather than ethX.

Yea, gonna need a wan config to assist more.

 

[bbhaag]

I want to apologize for not getting back to you guys sooner. It has been very busy at work over the past week. I did take some screen caps of how my Local_wan is configured. I hope they help if not just let me know what you need. To answer a few questions. YES the ER-X is new to the config and NO it has not worked from the beginning.
Now onto the pics.

 

[ch33zw1z]

What's between the ER-x and internet?

What's the actual WAN config, should be on the first dashboard screen. IP, subnet etc...

 

[bbhaag]

What's between the ER-x and internet?

What's the actual WAN config, should be on the first dashboard screen. IP, subnet etc...

The only thing between the ER-X and the internet is the fiber modem issued by MTCO who is our provider. I really struggle with networking so I hope this screen cap is the one you are looking for. If it's not please let me know.

 

[ch33zw1z]

Also, found this: https://community.ubnt.com/t5/EdgeRouter/What-is-WAN-IN-vs-WAN-LOCAL/td-p/1098853

Put the rules on WAN IN

 

[bbhaag]

Also, found this: https://community.ubnt.com/t5/EdgeRouter/What-is-WAN-IN-vs-WAN-LOCAL/td-p/1098853

Put the rules on WAN IN

Cool. Thanks for the link. I'll take a look at it and see if it helps. I suppose if worse comes to worse and I can't figure this out I can always sign up over at the UBNT forums and ask to. That's tough though because everyone over their always talks in acronyms and then I have to google the acronym to find out what they are talking about.
Anyway, thanks for the help so far I appreciate it.

 

[ch33zw1z]

Cool. Thanks for the link. I'll take a look at it and see if it helps. I suppose if worse comes to worse and I can't figure this out I can always sign up over at the UBNT forums and ask to. That's tough though because everyone over their always talks in acronyms and then I have to google the acronym to find out what they are talking about.
Anyway, thanks for the help so far I appreciate it.

NP, that's what we're here for. And by helping you, I get to learn as well.

 

[bruceb]

Much more info at this link here:
https://community.ubnt.com/t5/UniFi...-to-whitelist-IPs-from-Trustwave/td-p/2239068
This last clip is from the last post of that link above:
Re: How to whitelist IPs from Trustwave
We also use Trustwave PCI Compliance. All you need to do is allow ICMP from the Trustwave IPs to the WAN local. They dont need to actually port forward to the endpoint system. I have battled with Trustwave about this since there is a reason we block ICMP from the public side of the world, but apparently they need to see your Public IP in order to verify the scan is getting to the right place.

 

[ch33zw1z]

Good find bruce

 

[bbhaag]

Much more info at this link here:
https://community.ubnt.com/t5/UniFi...-to-whitelist-IPs-from-Trustwave/td-p/2239068
This last clip is from the last post of that link above:
Re: How to whitelist IPs from Trustwave
We also use Trustwave PCI Compliance. All you need to do is allow ICMP from the Trustwave IPs to the WAN local. They dont need to actually port forward to the endpoint system. I have battled with Trustwave about this since there is a reason we block ICMP from the public side of the world, but apparently they need to see your Public IP in order to verify the scan is getting to the right place.

I read through that post and I tried to set it up as described by the last poster but it still failed. Under Local_Wan I added the group Trustwave which includes the ip's from the article above. What should I set as my destination though? Eth0, PPPOE0, or something else?

 

[bruceb]

What that post said is you need to allow your Modem / Router to respond to an Incoming ICMP (Ping) Request .. I find most routers have that disabled by default, which is good for not being able to be found by scoundrels on the net. I also turn off ICMP Ping Incoming on each of my computer firewalls.

 

[bbhaag]

What that post said is you need to allow your Modem / Router to respond to an Incoming ICMP (Ping) Request .. I find most routers have that disabled by default, which is good for not being able to be found by scoundrels on the net. I also turn off ICMP Ping Incoming on each of my computer firewalls.

Yeah I read the post but it's so vague. I've allowed ICMP on the Wan_Local but it still fails...sigh. Ya know what I know cursing isn't allowed in the tech forums but I am sick of this shit. Fuck it I give up. Thanks for the help guys but networking was never my strong point and I am done trying to figure this out.

 

[ch33zw1z]

Are you allowing anything on wan_in?

 

[bbhaag]

Ok I know I said f-it and gave up but the computer nerd in me just couldn't. I was frustrated and in a knee jerk reaction I made the last post above. Sorry about that guys I know you're just trying to help me out.
So I finally got to the bottom of the icmp issue and allowing Trustwave to scan my network but now I have another issue revolving around TLS1.0 and certain algorithms.
How do I disable TLS1.0 on my EdgerouterX? A simple web search has provided little beyond some post on the UBNT forums and it looks to be cli based....I hate the cli but if that is what it takes I will figure it out. Here's a new screencap. As you can see the first four results are causing a failed status. Again thank you to everyone for the help.

 

[XavierMace]

That kind of change will be CLI based.

set service gui older-ciphers disable
set service ssh protocol-version v2

But that should do the trick.

 

[bbhaag]

That kind of change will be CLI based.

set service gui older-ciphers disable
set service ssh protocol-version v2

But that should do the trick.

Thank you for the response. I am very new to the cli. I see at the top right of the EdgeOS there is a cli button. If I click on that it bring up another window asking for a user id and password. Are you saying if I enter my user id and password then copy and paste the command you provided that will solve some of my issues?

 

[bbhaag]

Well it looks like I have finally gotten a pass rating. As best I can tell it was allowing Trustwave to scan my network using the protocol icpm and then disabling the older TLS1.0 cipher on the Edgerouter X. Thanks everyone. I really do appreciate the help and feedback that was provided.