I have cisco router connected to internet with no firewall.I want to allow internet connection for internal user and only easy VPN connection(using VPN client) from outside to internal network ,,how I could acheive this????
Mohammand, If you could provide a bit of more information as to type of router we could perhaps direct you on the right direction a bit better, reason is your router must have the correct ios code to support vpn,you would need at least Enterprise plus Ipsec 3des ios image that can provide for Ipsec vpn capabilities.
You may also look into your current IOS image in software advisory at
As for your router connecting to your ISP and providing inside user to internet connection, you could do it with this basic script example, lets assume ISP gives you static IP for your router intertace connecting to ISP. Say router fastethernet0/0 is defined as your outside nat interface, and router fastethernet0/1 your inside nat interface.
ip address 188.8.131.52 255.255.255.252
ip nat outside !
ip add 192.168.1.1 255.255.255.0
ip nat inside
ip nat pool mypool 184.108.40.206 220.127.116.11 netmask 255.255.255.252
ip nat inside source list 100 mypool overload
access-list 100 permit ip 192.168.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 ISP_router_interface_IP_address
Since you do not have firewall you may want to consider firewall IOS image if not the implementing ACLs to protect your network, refer to this link for more acl details in protecting your edge-internet router.
Related to the same issue, there was an Auditing question raised by our IT Auditors where they asked us to provide evidence to their question of :
-Are unused interfaces disabled on our routers?-
Our router is 2811, running on IOS 12.4
My reply to them was, whichever interface is not physically connected to the outside/inside world and actively exchanging data, is automatically in the shutdown mode, and we do not need to explicitly give it the command of 'shutdown'.
Even though the auditors agreed to this, I was wondering if that presumption is indeed correct! Can someone advise!!
Hi, this is very good question, I think it all depends on companies and how much they are willing to go with building and applying the standards I am sure there is a specific link out there that can provide with best practice in securing your inside network, but you can look at some good links here.
For example on not used ports in my company we do not shut them down but rather placed them in a dead vlan with other port security protection such as 802.1x etc. for the switches, as for the routers I do shutdown unused interfaces but I have worked in other companies where they did not accept this practice.
You may find some useful information in this link.
Personally I tend to follow Cisco recommendations following their design guidelines you can find a lot of information in network designing and best practice supporting it, I know it is tedious but we have no choice but to read it and based on this you may recommend it out in the real world.
Thanks for all the nice links links especially the output interpreter. This nify tool was hidden from me all along for some mysterious reason. The beuty is it even taken the output of PIX but the results are not all that great, unlike router's output.
Anyways, one of queries still remains unaswered...and that is the Auditors query where they were asking me make sure that all unused interfaces were in a 'shutdown' state.
My contention was, if a wire (UTP/fiber etc) aren't connected to any interface of the router, it's automatically put to the 'shutdown' mode.
Is that assumption correct or flawed from the 'router security' perspective?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...