WAN Inbound protection

aconticisco · ‎11-07-2013

Hi,

what is the best practice to protect the WAN Interface (Dialer Interface) on ISR Router from common attacks or ip spoofing. I read about creating an ACL to include all internal ip ranges but want to get your feedback on what is best to do. Also will need to allow remote ipsecvpn client to connect from remote.

Thank You

Julio Carvajal · ‎11-07-2013

Hello,

One common way to do it is to create an ACL denying traffic from the private IP address range comming on the outside interface.

Enabling IP RPF checks on strict mode is also a method to avoid this attacks as well.

How does that sounds to you

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aconticisco · ‎11-08-2013

Yes but since having remote ipsec vpn should I exclude the allocated subnet range ?

Julio Carvajal · ‎11-08-2013

Remember the following:

sysopt connection permit-vpn is enabled by default and will make VPN traffic to bypass any Inbound ACL on the outside

U got all set now right

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aconticisco · ‎11-09-2013

seems that the command is not available on ISR Routers:

Verify that sysopt Commands are Present (PIX/ASA Only)

Command did not show up in ISR Syntax. Want to be sure of this before I apply the inbound ACL on the WAN Interface.

Julio Carvajal · ‎11-09-2013

I am sorry

I though this was an ASA..

in that case I would certanly permit that traffic in the Outside to Inside ACL

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC