I've just set up a Cisco 2811 router which is connected to the Internet. I've got a firewall behind it to protect the network.
I've set up an access list on the interface which faces the Internet with some basic configuration (deny local addresses inbound to any, deny our public range inbound to any).
I want to make sure that the router itself is secure (I've run the auto-secure lockdown so that's ok) and was wondering on the implications of denying all traffic to the interface which faces the Internet). We don't run dynamic routing protocols and the router doesn't need to talk to anything else. Should I put a deny any statement to the Internet facing interface address or would this cause problems? I want to make sure that it can't be hacked. I was wondering if there would be any icmp traffic that should be allowed for correct operation?
I know that I wouldn't be able to get ping replies unless I put an entry allowing echo-reply above the deny any rule so I'll probably do that so that I can ping from the router to the Internet, but I don't want to cause any problems by denying traffic.
I've had a look at the Cisco IOS lockdown doc but I'd also like to get other peoples' opinions. Basically, do I need to allow any traffic to the Internet facing interface if I don't intend to manage it or access it from the Internet? Should I maybe just allow all IP traffic from the next hop (the ISP's router) and icmp echo-replies from any and then block all other traffic to the interface?