Re: ISR 4331 in front of firewall

louis_m · ‎04-13-2021

Our ISP has given us a block of 16 static ip's to use.

They have provided us with the following (example IP's)

WAN IP: 32.32.32.1
GW IP: 32.32.32.2

LAN IP: 64.64.64.1

AVAILABLE RANGE: 64.64.64.2 - 14

Fairly straight forward. Our question is, what is the best way of connecting this?

Our previous ISP did supply a Cisco router and just the static IP range but this ISP doesn't.

The LAN available range is a routeable public IP range so we thought about connectioning it like this:

ISP 32.32.32.2 > 32.32.32.1 (ISR 4431 router) 64.64.64.1/28> 64.64.64.2/28 (Our firewall which manages the other IP's 64.64.64.3 - 14) which then NAT's to our internal private IP's .

So basically ISP > ISR4431 > FW > LAN

Just slightly nervous of putting an ISR4431 in front of our firewall to just route the 32.32.32.0/30 to the 64.64.64.0/28.

I've hardened the router as much as I can eg disabling unused services, ACL's etc but was wondering if this is the best way?

Georg Pauwen · ‎04-13-2021

Hello,

obviously, if possible in any form or shape, the order of connectivity should be:

ISP --> Firewall --> ISR4431--> LAN

In your case, if you have to put the ISR in front of your firewall, hardening the device as much as possible is indeed your best option. Maybe you can post the running config of the 4431, so we can check if anything else can be added/deleted from a security point of view.

louis_m · ‎04-13-2021

I agree but unsure how to do this. Previously, our ISP's have supplied Cisco routers and just presented us with the LAN IP range which we simply entered into our FW.

This time there is another hop with no router supplied so we thought we would mimic what was previously done eg ISR4431 with LAN IP range. Obviously, we don't have the previous ISP config as we didn't have access to their supplied router.

So our config on the ISR4431 goes something like this (not the finished article on the ACL's, management IP etc or the vty lines)

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service dhcp
no platform punt-keepalive disable-kernel-core
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa session-id common
clock timezone XXX 0 0
clock summer-time XXX recurring
no ip source-route
!
!

no ip bootp server

no ip domain lookup
ip domain name XXXXXXX
!
!
login block-for 300 attempts 3 within 50
!
!
subscriber templating
multilink bundle-name authenticated
!
!
spanning-tree extend system-id
!
username XXXXXX privilege 15 secret 5 XXXXXXX
username XXXXXX privilege 15 secret 5 XXXXXXX
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
no cdp run
!
!
interface GigabitEthernet0/0/0
description OUTSIDE
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.4094
description FROM ISP
encapsulation dot1Q 4094
ip address 32.32.32.1 255.255.255.252
ip access-group OUTSIDE in
!
interface GigabitEthernet0/0/1
description INSIDE
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.100
description INSIDE to FIREWALL
encapsulation dot1Q 100
ip address 62.62.62.1 255.255.255.240
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
description MANAGEMENT
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 32.32.32.2
ip ssh time-out 30
ip ssh version 2
!
!
ip access-list extended OUTSIDE
deny icmp any any
permit ip any any
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
!
ntp server XXXXXX
ntp server XXXXXX

paul driver · ‎04-14-2021

Hello

@louis_m wrote:
Just slightly nervous of putting an ISR4431 in front of our firewall to just route the 32.32.32.0/30 to the 64.64.64.0/28.

I would say you don’t need expose the rtr like this just to be able to route the subnet, I assume the isp will be summarizing for that subnet anyway on your behalf and even is doesnt you could alway hide the subnet behind NAT, all you need to do is have the FW route between the lan and the isp, you could even DMZ part of the lan depending on your requirements

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

johnlloyd_13 · ‎04-14-2021

hi,

in my experience, we install a router to connect to the ISP and FW to protect the LAN: ISP > 4331 > FW > LAN.

a router is more "flexible" in terms of WAN interface/handoff (and routing) with an ISP compared to a FW.

what if later on your company decide to add a second ISP and do BGP? just "hardened" the router so you've got defense layers in your environment.

louis_m · ‎04-14-2021

For the ACL on the router, we obviously want to allow everything through so it hits the firewall but obviously nothing to get to the router eg management unless it's coming from our internal lan to management interface (not setup yet in above)

But I was wondering whether we woud need to put some rate limiting in eg to stop icmp flood etc on the router itself?

johnlloyd_13 · ‎04-14-2021

hi,

you usually configure a BOGON ACL and route them to null as best practice for an internet edge router. you can search for config/templates that suits your environment. see example:

https://community.cisco.com/t5/routing/bogon-filtering/td-p/829487