11-01-2012 02:56 AM
Hi,
I have a question regarding site-to-site VPN with router.
Internet <> Router <> LAN
If I have a site-to-site VPN configured on the router above with another site. I have access-list configured to block all incoming Internet connections except from VPN. What are the risk of the LAN getting exposed to Internet threats? Would you recommend putting in a firewall between the router and LAN, or replace the router with a firewall?
Thank you
Solved! Go to Solution.
11-04-2012 07:53 PM
Hi Amanda,
Assuming that your L2L looks like this:
LAN ---- Router --------------- INTERNET ------------- Router_Remote ----- LAN
|-------------------------------------------------------------------------------|
L2L
The traffic between the two LANs is protected by the VPN tunnel. It is recommended to use the security best practices (strongest encryption settings) to make sure the encrypted traffic wouldn't be compromised across the Internet.
On the other hand, if you are talking about traffic going out in the clear to the Internet, like when a user acceses google.com, then just make sure the traffic go out, but never allow any inbound connections.
If you want to protect your network with advance security features, like a FW, you may consider ZBF, which is the Firewall feature set available in IOS:
Zone-Based Policy Firewall Design and Application Guide
If you still consider this is not enough, then check the ASA5500 series.
HTH.
Portu.
Please rate any helpful posts
11-04-2012 07:53 PM
Hi Amanda,
Assuming that your L2L looks like this:
LAN ---- Router --------------- INTERNET ------------- Router_Remote ----- LAN
|-------------------------------------------------------------------------------|
L2L
The traffic between the two LANs is protected by the VPN tunnel. It is recommended to use the security best practices (strongest encryption settings) to make sure the encrypted traffic wouldn't be compromised across the Internet.
On the other hand, if you are talking about traffic going out in the clear to the Internet, like when a user acceses google.com, then just make sure the traffic go out, but never allow any inbound connections.
If you want to protect your network with advance security features, like a FW, you may consider ZBF, which is the Firewall feature set available in IOS:
Zone-Based Policy Firewall Design and Application Guide
If you still consider this is not enough, then check the ASA5500 series.
HTH.
Portu.
Please rate any helpful posts
11-27-2012 02:03 AM
Hi Portu,
Thank you very much for your detailed explanation.
Best regards,
Amanda
11-27-2012 05:09 AM
Glad to help
Have a nice day!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide