Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WAN Inbound protection

Hi,

what is the best practice to protect the WAN Interface (Dialer Interface) on ISR Router from common attacks or ip spoofing. I read about creating an ACL to include all internal ip ranges but want to get your feedback on what is best to do. Also will need to allow remote ipsecvpn client to connect from remote.

Thank You

5 REPLIES

WAN Inbound protection

Hello,

One common way to do it is to create an ACL denying traffic from the private IP address range comming on the outside interface.

Enabling IP RPF checks on strict mode is also a method to avoid this attacks as well.

How does that sounds to you

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

WAN Inbound protection

Yes but since having remote ipsec vpn should I exclude the allocated subnet range ?

WAN Inbound protection

Remember the following:

sysopt connection permit-vpn is enabled by default and will make VPN traffic to bypass any Inbound ACL on the outside

U got all set now right

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

WAN Inbound protection

seems that the command is not available on ISR Routers:

Verify that sysopt Commands are Present (PIX/ASA Only)

Command did not show up in ISR Syntax. Want to be sure of this before I apply the inbound ACL on the WAN Interface.

WAN Inbound protection

I am sorry

I though this was an ASA..

in that case I would certanly permit that traffic in the Outside to Inside ACL

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
168
Views
0
Helpful
5
Replies
CreatePlease to create content