Protecting WAN Interface providing public and private connectivity

Unanswered Question
May 13th, 2009

I have a client that has an MPLS WAN, Each site gets both public internet connectivity and private wan connectivity from one connection (Multilink T-1s) the provider's network then routes internet traffic out to the WWW and private traffic is routed accordingly via BGP.

The routers have 2 ethernet handoffs 1 with private ips 1 with publics ips.

The public handoff is hooked up to a firewall and outbound traffic is routed via an integration router so that internet traffic goes through the firewall and private traffic goes through the private interface.

I want to make sure that these routers are properly protected. The mutilink interfaces have internet accessible IPs. Is there a way good or bad to protect these interfaces so that private traffic goes through seamlessly but I can apply that will limit access from the internet?

Thanks much for any and all help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mloraditch Wed, 05/13/2009 - 06:27

yes that does, since private traffic is running over this interface would i not need to allow traffic from my private subnets as well?

Secondly do i really need all the extra denies? I would think if i remove them they would all still happen on the implicit deny any any at the end?

thanks

Collin Clark Wed, 05/13/2009 - 06:44

You will have to allow your private IP's. You do not the extra denies, they will be blocked. We're required to log those packets and that's why there in this ACL. Another layer of security would be to user PREFIX lists to filter what routes can come in.

mloraditch Wed, 05/13/2009 - 07:02

in theory this would be sufficient then:

ip access-list extended inbound

remark Allow BGP

permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]

permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp

permit ip [PRIVATE SUBNET] any

permit ip any [PUBLIC SUBNET] any

remark Allow Specific ICMP

permit icmp any host [Local Host for ICMP] echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny ip any any

Thanks again very helpful!

Actions

This Discussion