05-01-2013 06:09 AM - edited 03-04-2019 07:47 PM
Hi, I want to provide some outside interface protection on an ASR 10001 router.
The Internet facing interface is the ingress for all remote access home users that have created a DMVPN. I want to protect the network from the Internet but, at the same time protect against breaking the tunnels created from the home users.
We are running EIGRP between the home users and the HQ router. How would you build the access-list applied to the outside interface and what protocols would you allow through?
See attached
Thank you
05-01-2013 06:41 AM
Hi,
You can apply an ACL on the outside interface just like you have suggested and only allow ports/services:
1- isakamp
2- non500-isakamp (if you use nat traversal)
3- esp
The obvious problem here it that all other dynamic protocols might get blocked because of the implicit deny when sourced from the inside network. To solve this issue you can add a Reflexive ACL to your statement and allow the already establisehd traffic.
Hope that helps.
Omar
Forogt to mention that once the tunnet interface is up, it will not be affected by the access-list on the outside interface, you can apply a second ACL insie the tunnel interface if needed.
05-06-2013 04:27 AM
Omar,
Thanks for your response. Are you implying that if I don't want to block any traffic on the tunnel interfaces, I can apply an ACL to only the physical interface and that physical interface only needs protocols that will establish the tunnel?
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide