VPN router question

mikearama · March 2011

Hey guys.

I just dedicated a 1841 ISR to a VPN tunnel with a vendor. It will only be used for the tunnel. Therefore, the public interface has a crypto map assigned to it.

I'm curious what the rest of you do to lock a router down once you have your tunnel up. What's the easiest way to prevent any other access except the tunnel? IE, what's the simplest ACL that accomplishes this?

Preciate your thoughts,
Mike

burbankmarc · March 2011

Are you filtering out all outside traffic except the tunnel, or appropriate traffic from within the tunnel?

If the former you can permit only the far end IP and deny everything else, that cuts 99% of everything out. If you don't trust the far end you can filter it down more to permit esp/gre etc...

mikearama · March 2011

burbankmarc wrote: »

... you can permit only the far end IP and deny everything else.

Bingo. I think that'll do nicely. Thanks.

millworx · March 2011

Considering I deal with this almost all the time at work (I manage about 800 VPN GRE tunnels) I'll just post a little config snippet. I create an ACL that I apply to the public facing interface to allow just GRE, ISAKMP, ICMP, and telnet. And only between the source and destination. This will lock down all communication on the public IP

ip access-list extended FIREWALL_IN
permit gre host <source ip> host <this routers ip>
permit esp host <source ip> host <this routers ip>
permit udp host <source ip> host <this routers ip> eq isakmp
permit gre host <source ip> host <this routers ip>
permit esp host <source ip> host <this routers ip>
permit udp host <source ip> host <this routers ip> eq isakmp
permit icmp host <source ip> host <this routers ip> echo
permit icmp host <source ip> host <this routers ip> echo-reply
permit icmp host <source ip> host <this routers ip> echo
permit icmp host <source ip> host <this routers ip> echo-reply
permit tcp host <source ip> host <this routers ip> eq telnet
permit tcp host <source ip> host <this routers ip> eq telnet
permit udp host <source ip> host <this routers ip> eq ntp
deny ip host <this routers ip> any log
deny ip host 0.0.0.0 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 7.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip any any log

This access list I apply on the tunnel interface to only permit traffic from the specified source and destination to traverse the tunnel, which you would tailor to your need.

ip access-list extended VPN_OUT
permit ip 10.x.x.x 0.0.0.255 192.168.x.x 0.0.0.255

mzinz · March 2011

Thanks for that template. Looks like you had some duplicate elements.

ip access-list extended FIREWALL_IN
permit gre host <source ip> host <this routers ip>
permit esp host <source ip> host <this routers ip>
permit udp host <source ip> host <this routers ip> eq isakmp
permit icmp host <source ip> host <this routers ip> echo
permit icmp host <source ip> host <this routers ip> echo-reply
permit tcp host <source ip> host <this routers ip> eq telnet
permit udp host <source ip> host <this routers ip> eq ntp
deny ip host <this routers ip> any log
deny ip host 0.0.0.0 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 7.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip any any log

millworx · March 2011

Oops sorry about that, on my end they arent duplicates. They were there to allow the failover router to communicate to it as well. I just forgot to take them out. =] Hope it helps.

VPN router question

Comments