Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Protecting WAN Interface providing public and private connectivity

I have a client that has an MPLS WAN, Each site gets both public internet connectivity and private wan connectivity from one connection (Multilink T-1s) the provider's network then routes internet traffic out to the WWW and private traffic is routed accordingly via BGP.

The routers have 2 ethernet handoffs 1 with private ips 1 with publics ips.

The public handoff is hooked up to a firewall and outbound traffic is routed via an integration router so that internet traffic goes through the firewall and private traffic goes through the private interface.

I want to make sure that these routers are properly protected. The mutilink interfaces have internet accessible IPs. Is there a way good or bad to protect these interfaces so that private traffic goes through seamlessly but I can apply that will limit access from the internet?

Thanks much for any and all help!


Re: Protecting WAN Interface providing public and private connec

Since the IP's are publicly accessible, I would use my normal public ACL. If you would like to take a look, you can find it here-

Hope that helps.

New Member

Re: Protecting WAN Interface providing public and private connec

yes that does, since private traffic is running over this interface would i not need to allow traffic from my private subnets as well?

Secondly do i really need all the extra denies? I would think if i remove them they would all still happen on the implicit deny any any at the end?


Re: Protecting WAN Interface providing public and private connec

You will have to allow your private IP's. You do not the extra denies, they will be blocked. We're required to log those packets and that's why there in this ACL. Another layer of security would be to user PREFIX lists to filter what routes can come in.

New Member

Re: Protecting WAN Interface providing public and private connec

in theory this would be sufficient then:

ip access-list extended inbound

remark Allow BGP

permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]

permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp

permit ip [PRIVATE SUBNET] any

permit ip any [PUBLIC SUBNET] any

remark Allow Specific ICMP

permit icmp any host [Local Host for ICMP] echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny ip any any

Thanks again very helpful!