cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3973
Views
0
Helpful
6
Replies

How to block all traffic except vpn traffic and the traffic from HQ office

phyopaingag
Level 1
Level 1

Hi,

Someone please advise me how to block all traffic except the traffic coming through VPN and the traffic coming from HQ Office's ip.

My router is Cisco 881/K9 router. Currently I blocked all IPs except HQ office's IP by using access-list on brance office site.

I put permit IP list according to the VPN user's location IP. But now VPN user become more and more and so become difficult to block IPs according to their current location. Sometime not possible to know their WAN ip.

Thanks in advance.

3 Accepted Solutions

Accepted Solutions

Roman Rodichev
Level 7
Level 7

Have you considered allowing IPSEC IP protocol, TCP port, UDP ports from any IP, and then blocking all other traffic?

View solution in original post

something like this

ip access-list extended outside

permit esp any any      <<< IPSEC protocol 50 traffic

permit udp any any eq isakmp   <<< regular IPSEC ISAKMP UDP 500 traffic

permit udp any any eq non500-isakmp  <<< NAT-T IPSEC UDP 4500 traffic

permit tcp any any eq 22  <<< SSH

deny ip any any  << BLOCK EVERYTHING ELSE (implicit)

I added SSH assuming you might want to get into your router from outside with SSH.

I assumed you have CBAC (ip inspect) configured which automatically opens holes at the top of the access-list to allow return traffic for any Internet bound traffic that you originate from the internal network.

View solution in original post

Good luck with that! Let us know how it goes

View solution in original post

6 Replies 6

Roman Rodichev
Level 7
Level 7

Have you considered allowing IPSEC IP protocol, TCP port, UDP ports from any IP, and then blocking all other traffic?

Honestly nope.

Could you please give me some more hints.

Thanks.

something like this

ip access-list extended outside

permit esp any any      <<< IPSEC protocol 50 traffic

permit udp any any eq isakmp   <<< regular IPSEC ISAKMP UDP 500 traffic

permit udp any any eq non500-isakmp  <<< NAT-T IPSEC UDP 4500 traffic

permit tcp any any eq 22  <<< SSH

deny ip any any  << BLOCK EVERYTHING ELSE (implicit)

I added SSH assuming you might want to get into your router from outside with SSH.

I assumed you have CBAC (ip inspect) configured which automatically opens holes at the top of the access-list to allow return traffic for any Internet bound traffic that you originate from the internal network.

Thanks alot.

Now I got hints.

I do know that sometime one line hint can save days.

Let me get back to you I can't solve.

Then I will post my running-config also.

Good luck with that! Let us know how it goes

phyopaingag
Level 1
Level 1

correction to my original post.

" But now VPN user become more and more and so become difficult to  unblock IPs according to their current location. "