cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
0
Helpful
11
Replies

cbac set-up

mateomateo1
Level 1
Level 1

Can I confirm with someone if that config of cbac will work:

router.png

1 Accepted Solution

Accepted Solutions

With access-list 122, you just have to permit the actual VPN traffic before decryption as follows:

access-list 122 permit esp host host

access-list 122 permit udp host host eq 500

access-list 122 permit udp host host eq 4500

View solution in original post

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

Are you trying to allow inbound or outbound access on your access-list 121? From what i read, it seems more for outbound than inbound access, please kindly confirm.

If it's for outbound access, you would either need to apply the access-list on the LAN interface (in direction), or on the WAN interface (out direction).

Hi Jennifer,

access-list 121 is for inbound access (from internet)

- access-group 121 in

inspect rule is applied on the same interface outbound

-ip inspect myfw out

OK, so you would like access initiated from the Internet towards your hosts/servers on all those ports listed in access-list 121?

correct Jennifer access to those servers from acl 121 + alow all access from inside lan to the internet (with cbac)

ok thanks for confirming.

In that case, they all look good to me.

Thank you Jennifer for confirming,

I have also another question about my second wan interface, I have 2 isp, wan2 is my vpn connection to branch office and  wan1 is my internet access (with cbac on it - that is sorted now), now after wan1 is sorted I want also some sort of security on my vpn connection, what would be the best way to secure that connection, can I just apply

something like that on both sides ?

access-list 122 permit ip LAN1 LAN2

With access-list 122, you just have to permit the actual VPN traffic before decryption as follows:

access-list 122 permit esp host host

access-list 122 permit udp host host eq 500

access-list 122 permit udp host host eq 4500

Would it be the best way of securing the router (interfaces) with the firewall?  What can be done to secure it,

CBAC is one way to secure it, or you can also use ZBFW (Zone Base FW).

Thank you Jennifer for all the answers, as regards to my firewall on vpn link (only acl) is that enough security?

Yes, that would be good enough as only IPSec VPN is allowed, and no other protocols.

Review Cisco Networking for a $25 gift card