https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954481#M435835 <HTML><HEAD></HEAD><BODY><P>OK, so you would like access initiated from the Internet towards your hosts/servers on all those ports listed in access-list 121?</P></BODY></HTML> Sat, 26 May 2012 12:24:59 GMT Jennifer Halim 2012-05-26T12:24:59Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954478#M435830 <P>Can I confirm with someone if that config of cbac will work:</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/8/0/1/90108-router.png" alt="router.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P> Mon, 11 Mar 2019 23:11:38 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954478#M435830 mateomateo1 2019-03-11T23:11:38Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954479#M435832 <HTML><HEAD></HEAD><BODY><P>Are you trying to allow inbound or outbound access on your access-list 121? From what i read, it seems more for outbound than inbound access, please kindly confirm.</P><P>If it's for outbound access, you would either need to apply the access-list on the LAN interface (in direction), or on the WAN interface (out direction).</P></BODY></HTML> Sat, 26 May 2012 00:39:40 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954479#M435832 Jennifer Halim 2012-05-26T00:39:40Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954480#M435834 <HTML><HEAD></HEAD><BODY><P> Hi Jennifer,</P><P></P><P>access-list 121 is for inbound access (from internet)</P><P> - access-group 121 in</P><P></P><P></P><P>inspect rule is applied on the same interface outbound</P><P>-ip inspect myfw out</P></BODY></HTML> Sat, 26 May 2012 07:56:54 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954480#M435834 mateomateo1 2012-05-26T07:56:54Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954481#M435835 <HTML><HEAD></HEAD><BODY><P>OK, so you would like access initiated from the Internet towards your hosts/servers on all those ports listed in access-list 121?</P></BODY></HTML> Sat, 26 May 2012 12:24:59 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954481#M435835 Jennifer Halim 2012-05-26T12:24:59Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954482#M435836 <HTML><HEAD></HEAD><BODY><P> correct Jennifer access to those servers from acl 121 + alow all access from inside lan to the internet (with cbac)</P></BODY></HTML> Sat, 26 May 2012 18:46:18 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954482#M435836 mateomateo1 2012-05-26T18:46:18Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954483#M435837 <HTML><HEAD></HEAD><BODY><P>ok thanks for confirming.</P><P>In that case, they all look good to me.</P></BODY></HTML> Sat, 26 May 2012 19:34:19 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954483#M435837 Jennifer Halim 2012-05-26T19:34:19Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954484#M435838 <HTML><HEAD></HEAD><BODY><P> Thank you Jennifer for confirming, </P><P>I have also another question about my second wan interface, I have 2 isp, wan2 is my vpn connection to branch office and&nbsp; wan1 is my internet access (with cbac on it - that is sorted now), now after wan1 is sorted I want also some sort of security on my vpn connection, what would be the best way to secure that connection, can I just apply</P><P>something like that on both sides ?</P><P>access-list 122 permit ip LAN1 LAN2</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/3/2/90230-Untitled.png" class="jive-image" /></P></BODY></HTML> Mon, 28 May 2012 08:18:48 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954484#M435838 mateomateo1 2012-05-28T08:18:48Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954485#M435839 <HTML><HEAD></HEAD><BODY><P>With access-list 122, you just have to permit the actual VPN traffic before decryption as follows:</P><P></P><P>access-list 122 permit esp host <REMOTE-VPN-SERVER> host <WAN2-IP-ADDRESS></WAN2-IP-ADDRESS></REMOTE-VPN-SERVER></P><P>access-list 122 permit udp host <REMOTE-VPN-SERVER> host <WAN2-IP-ADDRESS> eq 500</WAN2-IP-ADDRESS></REMOTE-VPN-SERVER></P><P>access-list 122 permit udp host <REMOTE-VPN-SERVER> host <WAN2-IP-ADDRESS> eq 4500</WAN2-IP-ADDRESS></REMOTE-VPN-SERVER></P></BODY></HTML> Mon, 28 May 2012 11:29:47 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954485#M435839 Jennifer Halim 2012-05-28T11:29:47Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954486#M435840 <HTML><HEAD></HEAD><BODY><P>Would it be the best way of securing the router (interfaces) with the firewall?&nbsp; What can be done to secure it,</P></BODY></HTML> Thu, 07 Jun 2012 09:24:41 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954486#M435840 mateomateo1 2012-06-07T09:24:41Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954487#M435841 <HTML><HEAD></HEAD><BODY><P>CBAC is one way to secure it, or you can also use ZBFW (Zone Base FW).</P></BODY></HTML> Thu, 07 Jun 2012 10:08:21 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954487#M435841 Jennifer Halim 2012-06-07T10:08:21Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954488#M435843 <HTML><HEAD></HEAD><BODY><P> Thank you Jennifer for all the answers, as regards to my firewall on vpn link (only acl) is that enough security?</P></BODY></HTML> Thu, 07 Jun 2012 10:42:56 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954488#M435843 mateomateo1 2012-06-07T10:42:56Z https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954489#M435845 <HTML><HEAD></HEAD><BODY><P>Yes, that would be good enough as only IPSec VPN is allowed, and no other protocols.</P></BODY></HTML> Thu, 07 Jun 2012 11:02:56 GMT https://community.cisco.com/t5/network-security/cbac-set-up/m-p/1954489#M435845 Jennifer Halim 2012-06-07T11:02:56Z