VPN router question
Hey guys.
I just dedicated a 1841 ISR to a VPN tunnel with a vendor. It will only be used for the tunnel. Therefore, the public interface has a crypto map assigned to it.
I'm curious what the rest of you do to lock a router down once you have your tunnel up. What's the easiest way to prevent any other access except the tunnel? IE, what's the simplest ACL that accomplishes this?
Preciate your thoughts,
Mike
I just dedicated a 1841 ISR to a VPN tunnel with a vendor. It will only be used for the tunnel. Therefore, the public interface has a crypto map assigned to it.
I'm curious what the rest of you do to lock a router down once you have your tunnel up. What's the easiest way to prevent any other access except the tunnel? IE, what's the simplest ACL that accomplishes this?
Preciate your thoughts,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
burbankmarc
Member Posts: 460
Are you filtering out all outside traffic except the tunnel, or appropriate traffic from within the tunnel?
If the former you can permit only the far end IP and deny everything else, that cuts 99% of everything out. If you don't trust the far end you can filter it down more to permit esp/gre etc... -
mikearama
Member Posts: 749
burbankmarc wrote: »... you can permit only the far end IP and deny everything else.
Bingo. I think that'll do nicely. Thanks.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
millworx
Member Posts: 290
Considering I deal with this almost all the time at work (I manage about 800 VPN GRE tunnels) I'll just post a little config snippet. I create an ACL that I apply to the public facing interface to allow just GRE, ISAKMP, ICMP, and telnet. And only between the source and destination. This will lock down all communication on the public IP
ip access-list extended FIREWALL_IN
permit gre host <source ip> host <this routers ip>
permit esp host <source ip> host <this routers ip>
permit udp host <source ip> host <this routers ip> eq isakmp
permit gre host <source ip> host <this routers ip>
permit esp host <source ip> host <this routers ip>
permit udp host <source ip> host <this routers ip> eq isakmp
permit icmp host <source ip> host <this routers ip> echo
permit icmp host <source ip> host <this routers ip> echo-reply
permit icmp host <source ip> host <this routers ip> echo
permit icmp host <source ip> host <this routers ip> echo-reply
permit tcp host <source ip> host <this routers ip> eq telnet
permit tcp host <source ip> host <this routers ip> eq telnet
permit udp host <source ip> host <this routers ip> eq ntp
deny ip host <this routers ip> any log
deny ip host 0.0.0.0 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 7.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip any any log
This access list I apply on the tunnel interface to only permit traffic from the specified source and destination to traverse the tunnel, which you would tailor to your need.
ip access-list extended VPN_OUT
permit ip 10.x.x.x 0.0.0.255 192.168.x.x 0.0.0.255Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide -
mzinz
Member Posts: 328
Thanks for that template. Looks like you had some duplicate elements.
ip access-list extended FIREWALL_IN
permit gre host <source ip> host <this routers ip>
permit esp host <source ip> host <this routers ip>
permit udp host <source ip> host <this routers ip> eq isakmp
permit icmp host <source ip> host <this routers ip> echo
permit icmp host <source ip> host <this routers ip> echo-reply
permit tcp host <source ip> host <this routers ip> eq telnet
permit udp host <source ip> host <this routers ip> eq ntp
deny ip host <this routers ip> any log
deny ip host 0.0.0.0 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 7.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip any any log_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801 -
millworx
Member Posts: 290
Oops sorry about that, on my end they arent duplicates. They were there to allow the failover router to communicate to it as well. I just forgot to take them out. =] Hope it helps.Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide