Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
3
Replies

Do I need to lockdown a router only used for VPN?

Go to solution
Group IT
Level 1
Level 1

‎04-18-2017 10:47 AM

Hi all,

I am experimenting with IPsec tunnels between a router at a remote location and an ASA (the 'hub', at HQ).

The idea is that users at the remote locations (the 'spokes'), obtain all their network access (including internet) over the tunnel. So, as far as my router is concerned, all it should be communicating with is the public static IP of my HQ's ASA.

The outside interface on the router, has 'crypto map vpn-to-hq', but does this in itself 'lock down' the interface?

How secure is this in way of external threats pounding on my router's external public IP, or in ensuring my users can't circumvent the tunnel?

Do I need an access list on the router's outside interface blocking all ingress traffic from all IPs except the ASA, and another access list blocking all egress traffic to any IP's except the ASA's?

Thank you for reading!

Best Regards,

Elliot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎04-18-2017 02:01 PM

As always, it depends ...

When assuming that your crypto-ACL has a form of "permit ip BRANCH-NETWOK any" then the router still allows all incoming traffic to the router itself. You could "tune" that, but IMO it makes the setup more complex (and complexity is one of the first enemies of security).

Configuring your router with a strict incoming ACL will make things easier and also protect your router if there would show up a bug in the handling of the crypto ACL.

An outgoing ACL could also restrict traffic flowing to the internet when something with your crypto-setup goes wrong.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎04-18-2017 02:01 PM

As always, it depends ...

When assuming that your crypto-ACL has a form of "permit ip BRANCH-NETWOK any" then the router still allows all incoming traffic to the router itself. You could "tune" that, but IMO it makes the setup more complex (and complexity is one of the first enemies of security).

Configuring your router with a strict incoming ACL will make things easier and also protect your router if there would show up a bug in the handling of the crypto ACL.

An outgoing ACL could also restrict traffic flowing to the internet when something with your crypto-setup goes wrong.

0 Helpful

Go to solution
Group IT
Level 1
Level 1
In response to Karsten Iwen

‎04-19-2017 02:23 AM

Hi Karsten,

Thank you for your reply.

Yes, my crypto-ACL does indeed permit only the remote site's IP range. Here's a snippet of my config:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key testpass address 81.136.123.123
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 81.136.123.123
set transform-set TS
match address VPN-TRAFFIC
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.99.0 0.0.0.255 any
permit icmp 192.168.99.0 0.0.0.255 any

I understand from your reply then, that despite it introducing extra complexity to the overall config, it would be recommended to lock it down with ACL's against inbound and outbound data?

Thank you.

Best Regards,

Elliot

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Group IT

‎04-20-2017 03:45 AM

Locking it down with an ACL is the least complex and most easiest way. I would always do that as a first line of defense.

For your ACL VPN-TRAFFIC: You don't need the second line with "permit icmp" as icmp is part of IP.

0 Helpful
Customers Also Viewed These Support Documents