Solved: Do I need to lockdown a router only used for VPN?

Group IT · ‎04-18-2017

Hi all,

I am experimenting with IPsec tunnels between a router at a remote location and an ASA (the 'hub', at HQ).

The idea is that users at the remote locations (the 'spokes'), obtain all their network access (including internet) over the tunnel. So, as far as my router is concerned, all it should be communicating with is the public static IP of my HQ's ASA.

The outside interface on the router, has 'crypto map vpn-to-hq', but does this in itself 'lock down' the interface?

How secure is this in way of external threats pounding on my router's external public IP, or in ensuring my users can't circumvent the tunnel?

Do I need an access list on the router's outside interface blocking all ingress traffic from all IPs except the ASA, and another access list blocking all egress traffic to any IP's except the ASA's?

Thank you for reading!

Best Regards,

Elliot

Karsten Iwen · ‎04-18-2017

As always, it depends ...

When assuming that your crypto-ACL has a form of "permit ip BRANCH-NETWOK any" then the router still allows all incoming traffic to the router itself. You could "tune" that, but IMO it makes the setup more complex (and complexity is one of the first enemies of security).

Configuring your router with a strict incoming ACL will make things easier and also protect your router if there would show up a bug in the handling of the crypto ACL.

An outgoing ACL could also restrict traffic flowing to the internet when something with your crypto-setup goes wrong.

View solution in original post

Karsten Iwen · ‎04-18-2017

As always, it depends ...

When assuming that your crypto-ACL has a form of "permit ip BRANCH-NETWOK any" then the router still allows all incoming traffic to the router itself. You could "tune" that, but IMO it makes the setup more complex (and complexity is one of the first enemies of security).

Configuring your router with a strict incoming ACL will make things easier and also protect your router if there would show up a bug in the handling of the crypto ACL.

An outgoing ACL could also restrict traffic flowing to the internet when something with your crypto-setup goes wrong.

Group IT · ‎04-19-2017

Hi Karsten,

Thank you for your reply.

Yes, my crypto-ACL does indeed permit only the remote site's IP range. Here's a snippet of my config:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key testpass address 81.136.123.123

!

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode tunnel

!

crypto map vpn-to-hq 10 ipsec-isakmp

set peer 81.136.123.123

set transform-set TS

match address VPN-TRAFFIC

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.99.0 0.0.0.255 any

permit icmp 192.168.99.0 0.0.0.255 any

I understand from your reply then, that despite it introducing extra complexity to the overall config, it would be recommended to lock it down with ACL's against inbound and outbound data?

Thank you.

Best Regards,

Elliot

Karsten Iwen · ‎04-20-2017

Locking it down with an ACL is the least complex and most easiest way. I would always do that as a first line of defense.

For your ACL VPN-TRAFFIC: You don't need the second line with "permit icmp" as icmp is part of IP.