05-06-2011 08:14 AM
Hi,
Someone please advise me how to block all traffic except the traffic coming through VPN and the traffic coming from HQ Office's ip.
My router is Cisco 881/K9 router. Currently I blocked all IPs except HQ office's IP by using access-list on brance office site.
I put permit IP list according to the VPN user's location IP. But now VPN user become more and more and so become difficult to block IPs according to their current location. Sometime not possible to know their WAN ip.
Thanks in advance.
Solved! Go to Solution.
05-06-2011 08:18 AM
Have you considered allowing IPSEC IP protocol, TCP port, UDP ports from any IP, and then blocking all other traffic?
05-06-2011 08:31 AM
something like this
ip access-list extended outside
permit esp any any <<< IPSEC protocol 50 traffic
permit udp any any eq isakmp <<< regular IPSEC ISAKMP UDP 500 traffic
permit udp any any eq non500-isakmp <<< NAT-T IPSEC UDP 4500 traffic
permit tcp any any eq 22 <<< SSH
deny ip any any << BLOCK EVERYTHING ELSE (implicit)
I added SSH assuming you might want to get into your router from outside with SSH.
I assumed you have CBAC (ip inspect) configured which automatically opens holes at the top of the access-list to allow return traffic for any Internet bound traffic that you originate from the internal network.
05-06-2011 11:48 AM
Good luck with that! Let us know how it goes
05-06-2011 08:18 AM
Have you considered allowing IPSEC IP protocol, TCP port, UDP ports from any IP, and then blocking all other traffic?
05-06-2011 08:21 AM
Honestly nope.
Could you please give me some more hints.
Thanks.
05-06-2011 08:31 AM
something like this
ip access-list extended outside
permit esp any any <<< IPSEC protocol 50 traffic
permit udp any any eq isakmp <<< regular IPSEC ISAKMP UDP 500 traffic
permit udp any any eq non500-isakmp <<< NAT-T IPSEC UDP 4500 traffic
permit tcp any any eq 22 <<< SSH
deny ip any any << BLOCK EVERYTHING ELSE (implicit)
I added SSH assuming you might want to get into your router from outside with SSH.
I assumed you have CBAC (ip inspect) configured which automatically opens holes at the top of the access-list to allow return traffic for any Internet bound traffic that you originate from the internal network.
05-06-2011 11:21 AM
Thanks alot.
Now I got hints.
I do know that sometime one line hint can save days.
Let me get back to you I can't solve.
Then I will post my running-config also.
05-06-2011 11:48 AM
Good luck with that! Let us know how it goes
05-06-2011 08:18 AM
correction to my original post.
" But now VPN user become more and more and so become difficult to unblock IPs according to their current location. "
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide