Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
3
Replies

Hardening Internet router with GRE/IPSEC and PPPOE

mpaul
Level 1
Level 1

‎01-08-2005 12:34 PM - edited ‎03-02-2019 08:57 PM

I have a 1760 router with the vpn accelerator card. It's primary link is a frame-relay line. We then have a DSL router that is bridged to an additional Ethernet interface on the 1760. This is a backup link.

We plan to use IPSEC over a GRE tunnel through the DSL line.

I also have to use PPPOE to connect to the DSL. That works.

What I want to do is prvent any other internet traffic from getting through the DSL line interface.

I need to allow GRE/IPSEC and the PPPOE through the interface. I also want SSH and possibly telnet.

When I apply the following access-list it seems as if PPPOE stops working. I can't find what ports I need to allow through. Here's the relevant portions of the config.

I thought a simple access-list would be best. I currently have it applied to the ethernet interface, should I apply to the dialer instead? What ports for the pppoe?

Thanks in advance.

vpdn-group pppoe

request-dialin

protocol pppoe

crypto isakmp policy 10

authentication pre-share

group 2

lifetime 80000

crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0

crypto ipsec transform-set strong esp-3des esp-sha-hmac

mode transport

!

crypto map vpn 110 ipsec-isakmp

set peer (public vpn endpoint)

set transform-set strong

match address 199

!

!

interface Tunnel11

description GRE Tunnel

bandwidth 1024

ip address 10.100.70.2 255.255.255.0

no ip redirects

no ip unreachables

delay 15000

tunnel source Dialer1

tunnel destination (Public IP address of VPN endpoint)

interface Ethernet1/0

description Backup Link to DSL

no ip address

ip access-group 101 in

no ip redirects

no ip unreachables

full-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

interface Dialer1

description to VPN Backup Link DSL

ip address negotiated

ip mtu 1492

encapsulation ppp

dialer pool 1

dialer-group 2

no cdp enable

ppp authentication chap pap callin

ppp chap hostname username@username.com

ppp chap password 7 XXXXX

ppp pap sent-username username@username.com password XXXXX

crypto map vpn

router eigrp 100

network 172.16.0.0

network 192.168.11.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.11.1 190

ip route 0.0.0.0 0.0.0.0 Dialer1 190

ip route (Public IP Address of VPN Endpoint) 255.255.255.255 Dialer1

ip route 172.16.11.0 255.255.255.0 Null0 249

ip route 192.168.11.0 255.255.255.0 Null0 249

Access-list 101 remark Disallow internet traffic

access-list 101 permit icmp any any

access-list 101 permit ip host (Public IP of VPN Endpoint) host (Public IP of Dialer1)

access-list 101 permit gre host (Public IP of VPN Endpoint) host (Public IP of Dialer1)

access-list 101 permit tcp any host (Public IP of Dialer1) eq 22

access-list 101 permit tcp any host (Public IP of Dialer1) eq 23

access-list 199 remark Encryption and GRE Traffic

access-list 199 permit gre host (Public IP of Dialer1) host (Public IP of VPN Endpoint)

access-list 199 permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 199 permit ip 172.16.11.0 0.0.0.255 192.168.5.0 0.0.0.255

dialer-list 1 protocol ip permit

Labels:
0 Helpful
3 Replies 3

tjeanne
Level 1
Level 1

‎01-08-2005 03:14 PM

Hello,

You can try to remove the access-group 101 on the Ethernet 1/0 interface and to configure it on the dialer1 interface. I think it will work better.

Regards,

Tanguy

0 Helpful

wpate
Level 1
Level 1

‎01-25-2005 02:00 PM

You must apply the access-list to the dialer interface. Please keep in mind access-lists are meant to control IP/TCP/UDP traffic and not PPP. Therefore you do not need to include entries in the access-list for PPPOE as this is not an IP protocol.

Here is a generic access-list you could use and apply it to the dialer interface because this is the interface that IP is bound to.

OUTBOUND

access-list 120 permit gre host SOURCE IP host DESTINATION IP

access-list 120 permit udp host SOURCE IP host DESTINATION IP eq non500-isakmp

access-list 120 permit udp host SOURCE IP host DESTINATION IP eq isakmp

access-list 120 permit esp host SOURCE IP host DESTINATION IP

INBOUND

access-list 121 permit gre host SOURCE IP host DESTINATION IP

access-list 121 permit udp host SOURCE IP host DESTINATION IP eq non500-isakmp

access-list 121 permit esp host SOURCE IP host DESTINATION IP

access-list 121 permit udp host SOURCE IP host DESTINATION IP eq isakmp

access-list 121 permit tcp any any eq 22

0 Helpful

mpaul
Level 1
Level 1
In response to wpate

‎01-25-2005 04:10 PM

Yes I was finally able to get this to work and you are totally correct about the pppoe settings. Here's what my access-list looked like for the working configuration. I tried scanning the public address and didn't get much in reply back. I wanted to allow ICMP for testing though.

access-list 101 remark Disallow internet traffic

access-list 101 permit icmp any any

access-list 101 permit ip host X.X.X.X. host Y.Y.Y.Y

access-list 101 permit udp any host Y.Y.Y.Y eq isakmp

access-list 101 permit esp any host Y.Y.Y.Y

access-list 101 permit gre host X.X.X.X host Y.Y.Y.Y

access-list 101 permit tcp any host Y.Y.Y.Y eq 22

access-list 101 deny ip any any

What's the non500-isakmp? Haven't seen that one before.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card