https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376114#M309316 <HTML><HEAD></HEAD><BODY><P>Yes but since having remote ipsec vpn should I exclude the allocated subnet range ?</P></BODY></HTML> Fri, 08 Nov 2013 20:55:05 GMT aconticisco 2013-11-08T20:55:05Z https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376112#M309314 <P>Hi,</P><P></P><P>what is the best practice to protect the WAN Interface (Dialer Interface) on ISR Router from common attacks or ip spoofing. I read about creating an ACL to include all internal ip ranges but want to get your feedback on what is best to do. Also will need to allow remote ipsecvpn client to connect from remote.</P><P></P><P>Thank You</P> Tue, 12 Mar 2019 03:02:08 GMT https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376112#M309314 aconticisco 2019-03-12T03:02:08Z https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376113#M309315 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>One common way to do it is to create an ACL denying traffic from the private IP address range comming on the outside interface.</P><P>Enabling IP RPF checks on strict mode is also a method to avoid this attacks as well.</P><P></P><P>How does that sounds to you</P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Fri, 08 Nov 2013 00:11:22 GMT https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376113#M309315 Julio Carvajal 2013-11-08T00:11:22Z https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376114#M309316 <HTML><HEAD></HEAD><BODY><P>Yes but since having remote ipsec vpn should I exclude the allocated subnet range ?</P></BODY></HTML> Fri, 08 Nov 2013 20:55:05 GMT https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376114#M309316 aconticisco 2013-11-08T20:55:05Z https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376115#M309317 <HTML><HEAD></HEAD><BODY><P>Remember the following:</P><P></P><P>sysopt connection permit-vpn is enabled by default and will make VPN traffic to bypass any Inbound ACL on the outside</P><P></P><P>U got all set now right <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Sat, 09 Nov 2013 00:10:38 GMT https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376115#M309317 Julio Carvajal 2013-11-09T00:10:38Z https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376116#M309318 <HTML><HEAD></HEAD><BODY><P>seems that the command is not available on ISR Routers:</P><P></P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution11" style="color: #2970a6; text-decoration: none; font-size: 12px; line-height: 13px;">Verify that sysopt Commands are Present (PIX/ASA Only)</A></P><P></P><P>Command did not show up in ISR Syntax. Want to be sure of this before I apply the inbound ACL on the WAN Interface. </P></BODY></HTML> Sat, 09 Nov 2013 10:54:27 GMT https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376116#M309318 aconticisco 2013-11-09T10:54:27Z https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376117#M309319 <HTML><HEAD></HEAD><BODY><P>I am sorry <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>I though this was an ASA..</P><P></P><P>in that case I would certanly permit that traffic in the Outside to Inside ACL </P><P></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Sun, 10 Nov 2013 05:37:22 GMT https://community.cisco.com/t5/network-security/wan-inbound-protection/m-p/2376117#M309319 Julio Carvajal 2013-11-10T05:37:22Z