Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

cbac set-up

Can I confirm with someone if that config of cbac will work:

router.png

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

cbac set-up

With access-list 122, you just have to permit the actual VPN traffic before decryption as follows:

access-list 122 permit esp host host

access-list 122 permit udp host host eq 500

access-list 122 permit udp host host eq 4500

11 REPLIES
Cisco Employee

cbac set-up

Are you trying to allow inbound or outbound access on your access-list 121? From what i read, it seems more for outbound than inbound access, please kindly confirm.

If it's for outbound access, you would either need to apply the access-list on the LAN interface (in direction), or on the WAN interface (out direction).

New Member

cbac set-up

Hi Jennifer,

access-list 121 is for inbound access (from internet)

- access-group 121 in

inspect rule is applied on the same interface outbound

-ip inspect myfw out

Cisco Employee

cbac set-up

OK, so you would like access initiated from the Internet towards your hosts/servers on all those ports listed in access-list 121?

New Member

cbac set-up

correct Jennifer access to those servers from acl 121 + alow all access from inside lan to the internet (with cbac)

Cisco Employee

cbac set-up

ok thanks for confirming.

In that case, they all look good to me.

New Member

cbac set-up

Thank you Jennifer for confirming,

I have also another question about my second wan interface, I have 2 isp, wan2 is my vpn connection to branch office and  wan1 is my internet access (with cbac on it - that is sorted now), now after wan1 is sorted I want also some sort of security on my vpn connection, what would be the best way to secure that connection, can I just apply

something like that on both sides ?

access-list 122 permit ip LAN1 LAN2

Cisco Employee

cbac set-up

With access-list 122, you just have to permit the actual VPN traffic before decryption as follows:

access-list 122 permit esp host host

access-list 122 permit udp host host eq 500

access-list 122 permit udp host host eq 4500

New Member

cbac set-up

Would it be the best way of securing the router (interfaces) with the firewall?  What can be done to secure it,

Cisco Employee

cbac set-up

CBAC is one way to secure it, or you can also use ZBFW (Zone Base FW).

New Member

cbac set-up

Thank you Jennifer for all the answers, as regards to my firewall on vpn link (only acl) is that enough security?

Cisco Employee

cbac set-up

Yes, that would be good enough as only IPSec VPN is allowed, and no other protocols.

587
Views
0
Helpful
11
Replies
CreatePlease to create content