cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
463
Views
0
Helpful
4
Replies

Protecting WAN Interface providing public and private connectivity

mloraditch
Level 7
Level 7

I have a client that has an MPLS WAN, Each site gets both public internet connectivity and private wan connectivity from one connection (Multilink T-1s) the provider's network then routes internet traffic out to the WWW and private traffic is routed accordingly via BGP.

The routers have 2 ethernet handoffs 1 with private ips 1 with publics ips.

The public handoff is hooked up to a firewall and outbound traffic is routed via an integration router so that internet traffic goes through the firewall and private traffic goes through the private interface.

I want to make sure that these routers are properly protected. The mutilink interfaces have internet accessible IPs. Is there a way good or bad to protect these interfaces so that private traffic goes through seamlessly but I can apply that will limit access from the internet?

Thanks much for any and all help!

4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

Since the IP's are publicly accessible, I would use my normal public ACL. If you would like to take a look, you can find it here-

https://packetpros.com/cisco_kb/DIACAP_ACL.html

Hope that helps.

yes that does, since private traffic is running over this interface would i not need to allow traffic from my private subnets as well?

Secondly do i really need all the extra denies? I would think if i remove them they would all still happen on the implicit deny any any at the end?

thanks

You will have to allow your private IP's. You do not the extra denies, they will be blocked. We're required to log those packets and that's why there in this ACL. Another layer of security would be to user PREFIX lists to filter what routes can come in.

in theory this would be sufficient then:

ip access-list extended inbound

remark Allow BGP

permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]

permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp

permit ip [PRIVATE SUBNET] any

permit ip any [PUBLIC SUBNET] any

remark Allow Specific ICMP

permit icmp any host [Local Host for ICMP] echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny ip any any

Thanks again very helpful!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: