Solved: Re: Internet Edge Router Configuration

NetworkGuyMark · ‎02-22-2020

Hello,

I've been researching best-practice configurations for ISP facing Router Interfaces. Recommendations vary and I'd really like some advice. My configuration is simple.. I have a router that will connect my LAN to the internet (Outside interface and Inside interface). I have a static IP and am using PAT with overload. I want to protect my LAN as much as possible from outside attacks. The common advice I am finding is to apply the following ACL's on the Outside interface INBOUND.

! RFC 1918 Filtering

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

! Permit ICMP

access-list 101 permit icmp any any

! Permit only TCP sessions that have been started from internal network

access-list 101 permit tcp any any established

! Permit UDP

access-list 101 permit udp any any

Why is it recommened to permit ICMP Inbound? Why is it recommened to permit UDP Inbound? Any advice and recommendations are welcome.

Thank you,

Mark

Vishnu Vardhan S · ‎02-23-2020

ICMP is recommended to check the network reliability of the device you have in the network,

UDP use a connectionless protocol and we dont see much kind of attacks in UDP protocol compared to TCP.

Please do not hesitate to click the STAR button if you are satisfied with my answer.

View solution in original post

Richard Burts · ‎02-23-2020

If you are going to have a single router, no firewall, with a LAN and a connection to an ISP then your acl 101 is a good start. I have seen access lists like that that also deny incoming packets with source address of 169.254.0.0 0.0.255.255 and with source address 127.0.0.0 0.255.255.255 and with source address 224.0.0.0 31.255.255.255, and with source address 0.0.0.0 0.0.0.0 You might consider adding those.

Also on a router interface which faces the Internet some people will use Unicast Reverse Path Forwarding to mitigate the possibility of spoofed addresses. You might check this link for further information about this.

https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding

We do not know much about your environment, such as whether you might have web server, or mail server, or any other resource in your network that needs to be accessible from the Internet. If you do have any resource like that it will impact your acl on the outside interface and would probably require some port forwarding configuration, assuming that you have only a single public IP address.

You might find this link useful for a discussion about Improving Security on Cisco Routers

https://www.cisco.com/E-Learning/bulk/public/celc/CRS/media/targets/resources_mod07/7_3_5_improving_security.pdf

HTH

Rick

View solution in original post

Richard Burts · ‎02-23-2020

Mark

Thanks for the update. I listed the need to permit ESP. I wondered about whether GRE would be required. I thought that it probably was not required, but if your lab implementation indicates that it is required then this is good information. And EIGRP is probably a good addition to your acl.

Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

View solution in original post

Vishnu Vardhan S · ‎02-23-2020

ICMP is recommended to check the network reliability of the device you have in the network,

UDP use a connectionless protocol and we dont see much kind of attacks in UDP protocol compared to TCP.

Please do not hesitate to click the STAR button if you are satisfied with my answer.

NetworkGuyMark · ‎02-23-2020

Thank you for your explanation concerning ICMP and UDP. Anything else you recommend or do those ACL's basically cover it?

Richard Burts · ‎02-23-2020

If you are going to have a single router, no firewall, with a LAN and a connection to an ISP then your acl 101 is a good start. I have seen access lists like that that also deny incoming packets with source address of 169.254.0.0 0.0.255.255 and with source address 127.0.0.0 0.255.255.255 and with source address 224.0.0.0 31.255.255.255, and with source address 0.0.0.0 0.0.0.0 You might consider adding those.

Also on a router interface which faces the Internet some people will use Unicast Reverse Path Forwarding to mitigate the possibility of spoofed addresses. You might check this link for further information about this.

https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding

We do not know much about your environment, such as whether you might have web server, or mail server, or any other resource in your network that needs to be accessible from the Internet. If you do have any resource like that it will impact your acl on the outside interface and would probably require some port forwarding configuration, assuming that you have only a single public IP address.

You might find this link useful for a discussion about Improving Security on Cisco Routers

https://www.cisco.com/E-Learning/bulk/public/celc/CRS/media/targets/resources_mod07/7_3_5_improving_security.pdf

HTH

Rick

NetworkGuyMark · ‎02-23-2020

Thank you for taking the time to comment and share your expertise with me, Rick. I will add those addresses you suggest to my ACL. I'll look into uRPF, it looks like a great feature to implement. I will be adding port forwarding for a web server, which is simple enough. Initially, I want to lock things down as much as possible, then I'll open up what I need. At some point in the near future, I'll be inserting a Cisco ASA between my router and the LAN. Until then, I want to be sure the network is protected.

NetworkGuyMark · ‎02-23-2020

Hi Rick,

Just thinking... on the same topic here ACL's. I'm going to set up a tunnel 0 interface with mGRE and protect the traffic with IPSec to bring in a branch site.

Example:

HUB_HQ_RTR-----------------Internet--------------------Spoke_BR_RTR

Gig0/0/0 IP (1.1.1.1)--------------------------------------Gig0/0/0 (IP via DHCP)

Tunnel 0 (172.30.1.1)--------------------------------------Tunnel 0 (172.30.1.2)

Assuming I'm using the ACL's I listed above. What ACL's would I need to include in my configuration to make this work?

Thank you,

Mark

Richard Burts · ‎02-23-2020

Mark

Glad that our suggestions have been helpful. What you have so far is a good start, and might be sufficient for some people. Depending on how paranoid you are about threats from the Internet there are certainly more aspects that we might examine. I would certainly advocate for adding an ASA to provide further protection. It is much more effective in doing stateful inspection of traffic and not allowing traffic initiated from the Internet to enter your network unless you have explicitly permitted it. Using tcp established is pretty good for protecting tcp, but not other protocols. The ASA will do that kind of protection for all protocols.

Your description of mGRE with ipsec sounds like you are talking about DMVPN. Is that right? Or is it something else? If there are multiple branch sites then DMVPN is a good choice. If there is a single branch then I question whether you need the complexities of multi point GRE and think that a regular point to point GRE with ipsec, or perhaps a VTI tunnel might be better choices. Depending on your choice you probably should include these (I started to mention isakmp as something to permit and then realize that your permit udp any any would include isakmp) ESP which is protocol 50 (note this is a protocol number and not an IP port number).

HTH

Rick

NetworkGuyMark · ‎02-23-2020

Rick,

Thank you again for all the good info. I will be putting my ASA back in the picture soon between my Router and LAN.

I currently have 1 branch office I'll be adding to my configuration, more to come shortly. I'll be using DMVPN (GRE with IPSec). I spun everything up in my lab environment and think I have it figured out. I had to add the following to my ACL list:

access-list 101 permit gre host SPOKE_BR_RTR host HUB_HQ_RTR

access-list 101 permit eigrp host SPOKE_BR_TUNNEL_INT host HUB_HQ_TUNNEL_INT

access-list 101 permit esp host SPOKE_BR_RTR host HUB_HQ_RTR

Richard Burts · ‎02-23-2020

Mark

Thanks for the update. I listed the need to permit ESP. I wondered about whether GRE would be required. I thought that it probably was not required, but if your lab implementation indicates that it is required then this is good information. And EIGRP is probably a good addition to your acl.

Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

NetworkGuyMark · ‎02-23-2020

Thanks again, Rick. :) This is the first time I've used the Cisco Community and what a wonderful experience. I'll be asking more and more questions as time goes on. :)

Richard Burts · ‎02-24-2020

Mark

I am glad that this has been a good experience for you. I look forward to more questions from you.

HTH

Rick