Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
2
Replies

Internet Edge Router and the Firewall

Go to solution
blamb
Level 1
Level 1

‎05-09-2013 03:15 PM - edited ‎03-11-2019 06:41 PM

What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?

We want to pull more information from the edge router like netflow.  We can use SNMPv3 and ACLs to keep the router secure.

But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.

I am running an ASA and a 2821.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-09-2013 06:27 PM

I'd start with locking down the router configuration if you haven't already. Cisco Configuration Professional (free) offers a nice GUI for analyzing and delivering all the necessary commands to secure the router.

Getting Netflow from your router doesn't add much more than getting it from your ASA.

If you're querying through the firewall to the routers using SNMPv3 (and have deleted the v1/v2 communities) that's one good step. The only other thing I might suggest is sending syslogs to your management system from the router. To do that you'll need to add an access-list and probably a NAT entry to your firewall to allow the incoming syslog traffic.

Most important beyond all the technology is to make sure that your people follow a process to regularly analyze and act upon the information being reported and gathered. Without that all the rest isn't worth the time it take to implement it.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-09-2013 06:27 PM

I'd start with locking down the router configuration if you haven't already. Cisco Configuration Professional (free) offers a nice GUI for analyzing and delivering all the necessary commands to secure the router.

Getting Netflow from your router doesn't add much more than getting it from your ASA.

If you're querying through the firewall to the routers using SNMPv3 (and have deleted the v1/v2 communities) that's one good step. The only other thing I might suggest is sending syslogs to your management system from the router. To do that you'll need to add an access-list and probably a NAT entry to your firewall to allow the incoming syslog traffic.

Most important beyond all the technology is to make sure that your people follow a process to regularly analyze and act upon the information being reported and gathered. Without that all the rest isn't worth the time it take to implement it.

0 Helpful

Go to solution
blamb
Level 1
Level 1
In response to Marvin Rhoads

‎05-17-2013 09:37 AM

Thanks for the input Marvin. 

I wanted to make sure I wasn't missing anything in making the monitoring connection secure. 

Given the Cyber threats we been dealing with, regularly analyzing the information is required which is driving this need.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card