05-13-2009 05:50 AM - edited 03-11-2019 08:31 AM
I have a client that has an MPLS WAN, Each site gets both public internet connectivity and private wan connectivity from one connection (Multilink T-1s) the provider's network then routes internet traffic out to the WWW and private traffic is routed accordingly via BGP.
The routers have 2 ethernet handoffs 1 with private ips 1 with publics ips.
The public handoff is hooked up to a firewall and outbound traffic is routed via an integration router so that internet traffic goes through the firewall and private traffic goes through the private interface.
I want to make sure that these routers are properly protected. The mutilink interfaces have internet accessible IPs. Is there a way good or bad to protect these interfaces so that private traffic goes through seamlessly but I can apply that will limit access from the internet?
Thanks much for any and all help!
05-13-2009 06:17 AM
Since the IP's are publicly accessible, I would use my normal public ACL. If you would like to take a look, you can find it here-
https://packetpros.com/cisco_kb/DIACAP_ACL.html
Hope that helps.
05-13-2009 06:27 AM
yes that does, since private traffic is running over this interface would i not need to allow traffic from my private subnets as well?
Secondly do i really need all the extra denies? I would think if i remove them they would all still happen on the implicit deny any any at the end?
thanks
05-13-2009 06:44 AM
You will have to allow your private IP's. You do not the extra denies, they will be blocked. We're required to log those packets and that's why there in this ACL. Another layer of security would be to user PREFIX lists to filter what routes can come in.
05-13-2009 07:02 AM
in theory this would be sufficient then:
ip access-list extended inbound
remark Allow BGP
permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]
permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp
permit ip [PRIVATE SUBNET] any
permit ip any [PUBLIC SUBNET] any
remark Allow Specific ICMP
permit icmp any host [Local Host for ICMP] echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny ip any any
Thanks again very helpful!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: