cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


561
Views
0
Helpful
2
Replies
Beginner

Internet Edge Router and the Firewall

What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?

We want to pull more information from the edge router like netflow.  We can use SNMPv3 and ACLs to keep the router secure.

But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.

I am running an ASA and a 2821.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

Re: Internet Edge Router and the Firewall

I'd start with locking down the router configuration if you haven't already. Cisco Configuration Professional (free) offers a nice GUI for analyzing and delivering all the necessary commands to secure the router.

Getting Netflow from your router doesn't add much more than getting it from your ASA.

If you're querying through the firewall to the routers using SNMPv3 (and have deleted the v1/v2 communities) that's one good step. The only other thing I might suggest is sending syslogs to your management system from the router. To do that you'll need to add an access-list and probably a NAT entry to your firewall to allow the incoming syslog traffic.

Most important beyond all the technology is to make sure that your people follow a process to regularly analyze and act upon the information being reported and gathered. Without that all the rest isn't worth the time it take to implement it.

View solution in original post

2 REPLIES 2
Hall of Fame Guru

Re: Internet Edge Router and the Firewall

I'd start with locking down the router configuration if you haven't already. Cisco Configuration Professional (free) offers a nice GUI for analyzing and delivering all the necessary commands to secure the router.

Getting Netflow from your router doesn't add much more than getting it from your ASA.

If you're querying through the firewall to the routers using SNMPv3 (and have deleted the v1/v2 communities) that's one good step. The only other thing I might suggest is sending syslogs to your management system from the router. To do that you'll need to add an access-list and probably a NAT entry to your firewall to allow the incoming syslog traffic.

Most important beyond all the technology is to make sure that your people follow a process to regularly analyze and act upon the information being reported and gathered. Without that all the rest isn't worth the time it take to implement it.

View solution in original post

Beginner

Internet Edge Router and the Firewall

Thanks for the input Marvin. 

I wanted to make sure I wasn't missing anything in making the monitoring connection secure. 

Given the Cyber threats we been dealing with, regularly analyzing the information is required which is driving this need.