cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
0
Helpful
3
Replies

Do I need to lockdown a router only used for VPN?

Group IT
Level 1
Level 1

Hi all,

I am experimenting with IPsec tunnels between a router at a remote location and an ASA (the 'hub', at HQ).

The idea is that users at the remote locations (the 'spokes'), obtain all their network access (including internet) over the tunnel. So, as far as my router is concerned, all it should be communicating with is the public static IP of my HQ's ASA.

The outside interface on the router, has 'crypto map vpn-to-hq', but does this in itself 'lock down' the interface?

How secure is this in way of external threats pounding on my router's external public IP, or in ensuring my users can't circumvent the tunnel?

Do I need an access list on the router's outside interface blocking all ingress traffic from all IPs except the ASA, and another access list blocking all egress traffic to any IP's except the ASA's?

Thank you for reading!

Best Regards,

Elliot

1 Accepted Solution

Accepted Solutions

As always, it depends ...

When assuming that your crypto-ACL has a form of "permit ip BRANCH-NETWOK any" then the router still allows all incoming traffic to the router itself. You could "tune" that, but IMO it makes the setup more complex (and complexity is one of the first enemies of security).

Configuring your router with a strict incoming ACL will make things easier and also protect your router if there would show up a bug in the handling of the crypto ACL.

An outgoing ACL could also restrict traffic flowing to the internet when something with your crypto-setup goes wrong.

View solution in original post

3 Replies 3

As always, it depends ...

When assuming that your crypto-ACL has a form of "permit ip BRANCH-NETWOK any" then the router still allows all incoming traffic to the router itself. You could "tune" that, but IMO it makes the setup more complex (and complexity is one of the first enemies of security).

Configuring your router with a strict incoming ACL will make things easier and also protect your router if there would show up a bug in the handling of the crypto ACL.

An outgoing ACL could also restrict traffic flowing to the internet when something with your crypto-setup goes wrong.

Hi Karsten,

Thank you for your reply.

Yes, my crypto-ACL does indeed permit only the remote site's IP range. Here's a snippet of my config:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key testpass address 81.136.123.123
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 81.136.123.123
set transform-set TS
match address VPN-TRAFFIC
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.99.0 0.0.0.255 any
permit icmp 192.168.99.0 0.0.0.255 any

I understand from your reply then, that despite it introducing extra complexity to the overall config, it would be recommended to lock it down with ACL's against inbound and outbound data?

Thank you.

Best Regards,

Elliot

Locking it down with an ACL is the least complex and most easiest way. I would always do that as a first line of defense.

For your ACL VPN-TRAFFIC: You don't need the second line with "permit icmp" as icmp is part of IP.