Internet connection interface configurations

Daniel Smith · ‎07-30-2015

I would like to be sure that our internet facing routers, and their interfaces, are as secure as possible. Searching the web has not yielded as much information as I had hoped. Please respond with your suggestions and tips. Thank you in advance.

trfinkenstadt · ‎07-30-2015

Daniel,

You can start with only allowing the traffic that needs to go through to go through. For example, on my DMVPN edge routers, I only allow UDP500/4500, ESP, and DHCP style things:

ip access-list extended dmvpn-edge

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any eq bootps any eq bootpc

deny ip any any log

For a true internet router you could have a much more developed list than that. Ensure that you have an ACL that controls what can ssh to your device in your "line vty 0 4" config. Ensure that you allow your routing protocols to flow through to your providers. Things like that.

best regards,

tim

johnd2310 · ‎07-30-2015

Hi.

As a start have a look at the router hardening guide.

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Also look at the network security baseline.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook.html.

Thank

John

**Please rate posts you find helpful**