Any one know where I can find a config guide / template for an IOS FW that allows all company data (RFC-1918) down a L2L VPN and has a internet traffic bypass secured by CBAC. I know there is lots of info on each but not together. I'm configuring this on a rtr already in place on the other side of the world that I need to secure but do not want to break what is there.
So far I have:
1. Remote ssh access from 2 IPs this side of the world for management
2. The L2L vpn set-up and established - all interesting traffic allowed
3. Internet by-pass of VPN with a NAT overload based on denies of the above interesting traffic and then a permit any any
1 & 2 are controled on an inbound acl on the outside int: permit SSH from x & y, and permit udp-500 & udp-4500 from p.e.e.r
3 is the one I need help securing without nixing 1&2: At this unsecured moment the above acl then permits any any (logged) to allow the Internet retuirn traffic. Luckily the site is not quite prod yet so the various dubious hits are not good but not bad.
So I need to set-up CBAC (in a best practice way) but I do not want to disable the incoming SSH or l2l vpn connection.
Any suggestions and gotchas welcome.
BTW - its a 2821 with 12.4(20); it may soon have CME but that is down the track