Securing VPN Router

Unanswered Question
Aug 9th, 2010
User Badges:

Hello


I am looking for help in securing the VPN Box by allowing only VPN Traffic
rest all internet traffic should be blocked.


here is the configuration, can someone input.


###VPN Router###


crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share


crypto isakmp key 2009CCIE address 5.5.5.5
crypto isakmp key 2009CCIE address 6.6.6.6


crypto ipsec transform-set VPN_A esp-3des esp-md5-hmac
crypto ipsec transform-set VPN_B esp-3des esp-md5-hmac


crypto map SEEDAR 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN_A
match address VPN_A



crypto map SEEDAR 15 ipsec-isakmp
set peer 6.6.6.6
set transform-set VPN_B
match address VPN_B



int fa 0/0
description # Connected to LAN #
ip address 192.168.1.1 255.255.255.252



int fa 0/1
description # Public IP #
ip address 10.10.10.10 255.255.255.248
crypto map SEEDAR



int tunnel 0
ip address 10.1.1.1 255.255.255.252
tunnel source fa 0/1
tunnel destination 5.5.5.5


int tunnel 1
ip address 10.10.10.1 255.255.255.252
tunnel source fa 0/1
tunnel destination 6.6.6.6



router ospf
network 10.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0



ip access-list extended VPN_A
permit gre host 10.10.10.10 host 5.5.5.5


ip access-list extended VPN_B
permit gre host 10.10.10.10 host 6.6.6.6



Thanks

ST

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
u1kumar2002 Mon, 08/09/2010 - 10:49
User Badges:

Hi,

     I would like to suggest you to configure QOS. In that you can match internet traffic and set a action as drop.


Sample Config:



Router(config)#class-map INTERNET

Router(config-cmap)#match protocol http

Router(config-cmap)#exi

Router(config)#policy-map BLOCK_INTERNET

Router(config-pmap)#class INTERNET

Router(config-pmap-c)#drop

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#

Router(config)#int fa0/0

Router(config-if)#service-policy output BLOCK_INTERNET

Router(config-if)#exit

Router(config)#

Do rate for helpful post....
Uttam
saquib.tandel Mon, 08/09/2010 - 12:12
User Badges:

Hi


What if I only allow the remote peer public IP with an acl


access-list 10 permit 5.5.5.5

access-list 10 permit 6.6.6.6

access-list 10 permit 7.7.7.7


interface fa 0/1

ip access-group 10 in


My test on this slapped the VPN Tunnels, all went down.



Any input


Thanks

ST

Richard Burts Tue, 08/10/2010 - 10:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ST


Are you sure that the tunnels were up and working before you did access list 10? From the little bit that you posted it looks to me like access list 10 should not have impacted the tunnels that you show in your original post. Did anything change other than creating and assigning access list 10?


HTH


Rick

saquib.tandel Tue, 08/10/2010 - 13:16
User Badges:

Hi Rick


Service provider informed to change the mtu to 1450, after changing this parameter

Tunnels are up. Changes are SP backend caused this issue.


My question is : The applied ACL on interface fa 0/1 is ok to restrict all internet traffic except GRE IPSEC VPN


Thanks

ST

Actions

This Discussion