07-16-2013 06:50 AM - edited 03-07-2019 02:25 PM
With a 2911 on connected to the net and an S2S VPN going out the public interface, whats the best method to lock down the router from the public interface still but not interfering with the vpn tunnel?
-R
07-16-2013 07:23 AM
Hi,
How did you configure the L2L VPN with the crypto-map commands or the VTI ?
Have you already got a firewall config in place ?
Regards
Alain
Don't forget to rate helpful posts.
07-16-2013 08:05 AM
Nothing in place currently...
ip ssh source-interface Virtual-Template1
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address 64.22.241.98 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map outside_map 10 ipsec-isakmp
set peer 3xx.3xx.3xx.xx3
set transform-set ESP-3DES-SHA
match address 150
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Public
ip address 3xx.3xx.3xx.xx3 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
description Subinterfaces for local vlans
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto ip ssh source-interface Virtual-Template1
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address 64.22.241.98 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map outside_map 10 ipsec-isakmp
set peer 3xx.3xx.3xx.xx3
set transform-set ESP-3DES-SHA
match address 150
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Public
ip address 3xx.3xx.3xx.xx3 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
description Subinterfaces for local vlans
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
access-list 150 permit ip 192.168.202.0 0.0.0.255 any
07-16-2013 10:47 AM
Hey you can check this out, http://www.packetpros.com/2012/08/public-interface-acl.html
It is a blog by a memeber of the community, it should be helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: