I want to create a site to site VPN over the Internet. At the remote site, apart from the VPN to head office there should be no traffic allowed in from the Internet to the Internal network and there should be no traffic from the Internal network allowed to the Internet. The internal network will be running a private 192.168.x.x address range.
I'm going to use a Cisco 2811 integrated services router at the remote site and this will run an IPSec VPN which will terminate on a concentrator at head office. I understand that this router has an IOS firewall and IPS built in.
Would I be right in thinking that because I don't want to have any access to or from the Internet (apart from the VPN) that I don't need to configure any of the IOS firewall features on the router? And there'd be no point in configuring any IPS features would there?
My thinking is that just a single access list entry of deny ip any any applied inbound to the interface that connects to the Internet would be the best strategy. I believe the command 'sysopt connection permit-ipsec' should allow the VPN to form even with the deny ip any any ACL (or is this just a Pix command? If so then I'd have to permit ESP and UDP 500 (ISAKMP) from the public address of the concentrator at head office to allow the VPN to form wouldn't I?).
Thinking about it I'll probably expand the access list slighty to allow icmp, ssh and https traffic from the head office external firewall IP address so that I can monitor the remote site and get to it securely should the VPN fail.
And I wouldn't need an access list on the interface connected to the internal network would I because the address range would be non routable so they wouldn't be able to initiate connections to the Internet (all trffic at the remote site would be specified as interesting traffic to bring up the VPN)
Using any of the IOS firewall inspect commands or the IPS would be pointless and have no effect in this situation wouldn't it?
I really just need to know if the deny ip any any ACL on the outside interface at the remote site is the best option (and simplest), and if it will be secure.
We used to use Pix fiewalls for remote site to site VPNs, awhich deny inbound connections on the outside interface by default but now I've been told that these 2800 series routers will be used from now on so I'd like to get my thinking straight and be able to build them securely to do the same job as all the existing Pixs are currently doing (they're all installed for just the VPN connection to head office as in the first paragraph).
I'd appreciate any advice or thoughts on the subject. I'm sure there must be a ton of people who have set routers up for the same purpose.
Thanks in anticipation.
I have done a lot of site to site VPN implementations using IOS routers. They work very well. Based on my experience I offer these comments and hope that they will help you:
- you do want an access list inbound on the outside interface, but you want more in it than just deny ip any any. There is no sysopt connection permit-ipsec in IOS so you will certainly want to permit ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I like to allow ICMP but only from the address space of the head end network. I do not allow HTTPS since I usually do not enable the http server on the router. If you want HTTPS then certainly allow it. To facilitate ping and traceroute from the remote I frequently allow icmp echo-reply, time-exceeded, and port unreachable from any source.
- I like to put an access list on the inside interface. There are certain types of traffic which I may not want to send from the remote LAN. I usually deny any SNMP or snmp trap from LAN devices and deny icmp redirects coming off the LAN. I also frequently configure RPF checking on the inside interface to catch any device that is misconfigured.
- if you are going to allow SSH when the VPN is not active (and I highly recommend that you do) then you probably need to configure at least 1 (and perhaps several) users ID and password on the router. And you want to configure authentication on the vty to use local authentication if the authentication server at the head end is not available.
- I am not clear from your description whether you plan to run a dynamic routing protocol over the VPN. I like to have a dynamic routing protocol because I use it to advertise a default route to the remote over the VPN. I do not locally configure a default route on the remote router. That way if the VPN tunnel is up there is a default route pointing over the tunnel and if the VPN tunnel is not up then there is no local default route and users at the remote can not access the Internet. This is a simple and highly effective method of assuring that all user traffic must go through the central site.
- in terms of routes defined on the remote router, my approach is that I define a static route to the tunnel end point to allow the tunnel to establish and I configure static routes to the subnet at the head end from which I may SSH. And I do not configure other local static routes on the remote router.
- you probably want to disable cdp on the outside interface and also to disable proxy-arp (and I like to do no ip unreachables).
- there is frequently an issue when using VPN site to site with fragmentation. If a device on the LAN sends a maximum size frame, and then the router needs to add the extra headers for IPSec then the frame is too large and requires fragmentation. I like to use ip tcp adjust-mss to control segment size for TCP traffic and avoid any issues with fragmentation.
- I do not think that you want to implement any of the firewall or IPS features of the IOS on the 2811.
I hope your implementation goes well and that my suggestions may have been helpful.
 after posting my response I read through your post again and realize that you are doing VPN to a concentrator. The approach I that suggested about running a routing protocol works for me because I usually have an IOS router at the head end. It would not work for connecting to a concentrator.