Internet Interface Protection

Patrick McHenry · ‎05-01-2013

Hi, I want to provide some outside interface protection on an ASR 10001 router.

The Internet facing interface is the ingress for all remote access home users that have created a DMVPN. I want to protect the network from the Internet but, at the same time protect against breaking the tunnels created from the home users.

We are running EIGRP between the home users and the HQ router. How would you build the access-list applied to the outside interface and what protocols would you allow through?

See attached

Thank you

O Bitar · ‎05-01-2013

Hi,

You can apply an ACL on the outside interface just like you have suggested and only allow ports/services:

1- isakamp

2- non500-isakamp (if you use nat traversal)

3- esp

The obvious problem here it that all other dynamic protocols might get blocked because of the implicit deny when sourced from the inside network. To solve this issue you can add a Reflexive ACL to your statement and allow the already establisehd traffic.

Hope that helps.

Omar

Forogt to mention that once the tunnet interface is up, it will not be affected by the access-list on the outside interface, you can apply a second ACL insie the tunnel interface if needed.

Patrick McHenry · ‎05-06-2013

Omar,

Thanks for your response. Are you implying that if I don't want to block any traffic on the tunnel interfaces, I can apply an ACL to only the physical interface and that physical interface only needs protocols that will establish the tunnel?

Thank you.