12-14-2011 01:15 PM - edited 03-04-2019 02:38 PM
I'm interested in learning how to make a router interface as secure as possible. For example, consider a router whose main function is to connect a branch to an MPLS WAN, but also has a cable modem on Fa0/1 used for a VPN tunnel when the WAN goes down. I'd like Fa0/1 to be essentially invisible on the Internet, only permitting the required traffic for the VPN tunnel. To be clear, this discussion will not apply to 99% of routers, just to very special-purpose interfaces.
Here's what I've come up with. 169.254.0.1 is a placeholder for the local router's Internet IP address, and 169.254.111.111 is a placeholder for the remote router's Internet IP address:
ip access-list extended internet-in
deny ip any any option any-options
permit ip host 169.254.111.111 host 169.254.0.1
permit icmp any host 169.254.0.1 packet-too-big
ip access-list extended internet-out
deny ip any any option any-options
permit ip host 169.254.0.1 host 169.254.111.111
interface FastEthernet0/1
ip address 169.254.0.1 255.255.0.0
ip access-group internet-in in
ip access-group internet-out out
no ip unreachables
no ip proxy-arp
no cdp enable
(if anyone knows how to get indents to stick, let me know and I'll fix it)
My main concern with this is that I have no way of knowing what else I might be missing. It would be good if there were a Cisco document that documented this scenario. (I basically would like to see an official template of how to make an "invisible" interface, and then backtrack from there.) I was told that creating a post here was the best way of getting to the right people.
Are there any other commands that I should add? Is there a simpler or more foolproof way of doing this? The main thing I don't like about it is that the ACL does not apply to traffic originating from the router itself. (And I don't know exactly what that means either.) One misconfiguration (e.g. enabling RIP) could cause the router itself to start sending unwanted traffic out the interface. I'd like it if I could tell the router to enable the egress filtering even for traffic originating from the router. Then I wouldn't have to worry about figuring out all the protocols that could be active on the interface, disabling them individually.
Or maybe there is an existing Cisco document explaining this scenario?
12-14-2011 01:24 PM
permit ip host 169.254.111.111 host 169.254.0.1
permit icmp any host 169.254.0.1 packet-too-big
permit ip host 169.254.0.1 host 169.254.111.111
ip address 169.254.0.1 255.255.0.0
169.254.X.X??? Seriously???
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: