09-18-2008 12:15 PM
Hi all
(See attachment fileâ¦)
I want to know where (what interfaces) and how (in or out) can I put my CBAC configuration. All incoming packet that pass through the Lan interface of R1 and R2 are permitted, no matter where they go
I already defined rules and a static extended ACL on both routers. I have also NAT configured
R1 Wan interface ï ACL_IN (that deny any traffic except ESP for IPSec tunnel, and some other stuffs)
R2 Wan interface ï ACL_IN (that deny any traffic except ESP for IPSec tunnel, and some other stuffs)
R1 Wan interface ï CBAC_OUT (The traffic is analyzed when it get out this interface and then allowed back through the router only if it is part of the same session as the original traffic that triggered CBAC when exiting through the router)
R2 Wan interface ï CBAC_OUT (The traffic is analyzed when it get out this interface and then allowed back through the router only if it is part of the same session as the original traffic that triggered CBAC when exiting through the router)
Those configuration secured me from the Internet world.
But If I want to analyze and secure (not block) the traffic which comes from the customer's Lan to my HQ services (passing through my tunnel interface only), where should I put my CBAC configuration (out on the R1's lan interface ?)
Note: I have many customer's routers that connect to the same R1 router.
Thank you very much
09-19-2008 03:05 AM
if u wanna make packet filtering and use application inspection as well with vpn
use the outside physical interface
and use the Private lans IPs as source and distination IPs so that after the packet get decrypted on the interface will be inspected
by the way
i hvae tunnel interface u mean u have use gre with ipsec?
by the way
CBAC help u with VPN for automatic port negocition like h323
but for management
i would suggest u to use normal ACL and permit what traffic u want explicitly
more secure and better for ur case
09-19-2008 04:49 AM
Thank you very much for your reply.
When you say that I must use the Private lans IPs as source and distination IPs. Do you mean to use an "in" and "out" CBAC rule on the Lan interface of R1 to secure my HQ from the customers ?
For us it's not necessary to secure the customers from my HQ.
Yes I use GRE with IPSec. It's a DMVPN phase 2 network. Single clouds with dual hub.
Thanks !
09-19-2008 04:57 AM
what kind off traffic u wanna pass through ur tunnel i mean what ports or applications?
09-19-2008 05:03 AM
Essentially FTP and HTTP.
I have other traffic but it doesn't matter if I don't analyze it because it's terminated at the customers end point not on the Lan subnet. (like CiscoCSM)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide