Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL on Border Router

Hello,

I've just set up a Cisco 2811 router which is connected to the Internet.  I've got a firewall behind it to protect the network.

I've set up an access list on the interface which faces the Internet with some basic configuration (deny local addresses inbound to any, deny our public range inbound to any).

I want to make sure that the router itself is secure (I've run the auto-secure lockdown so that's ok) and was wondering on the implications of denying all traffic to the interface which faces the Internet).  We don't run dynamic routing protocols and the router doesn't need to talk to anything else.  Should I put a deny any statement to the Internet facing interface address or would this cause problems?  I want to make sure that it can't be hacked.  I was wondering if there would be any icmp traffic that should be allowed for correct operation?

I know that I wouldn't be able to get ping replies unless I put an entry allowing echo-reply above the deny any rule so I'll probably do that so that I can ping from the router to the Internet, but I don't want to cause any problems by denying traffic.

I've had a look at the Cisco IOS lockdown doc but I'd also like to get other peoples' opinions.  Basically, do I need to allow any traffic to the Internet facing interface if I don't intend to manage it or access it from the Internet?  Should I maybe just allow all IP traffic from the next hop (the ISP's router) and icmp echo-replies from any and then block all other traffic to the interface?

Thanks,

Pete.

2 REPLIES
Hall of Fame Super Silver

Re: ACL on Border Router

Hello Pete,

>>  was wondering if there would be any icmp traffic that should be allowed for correct operation?

yes this is somewhat needed if you want to be able to test IP connectivity on WAN link.

As a form of  protection from attacks involving the use of many ICMP packets (ICMP flooding should be the attack  name) you can implement a CAR  rule to limit the amount of ICMP traffic accepted on the interface (or you can use modular QoS with police action to be more current)

I tested this for a customer some years ago and I was able to tune CAR parameters so that basic ping  test works but extended ping with big packets sees part of packets dropped.

Hope to help

Giuseppe

Hall of Fame Super Blue

Re: ACL on Border Router

Peter.D.Brown wrote:

Hello,

I've just set up a Cisco 2811 router which is connected to the Internet.  I've got a firewall behind it to protect the network.

I've set up an access list on the interface which faces the Internet with some basic configuration (deny local addresses inbound to any, deny our public range inbound to any).

I want to make sure that the router itself is secure (I've run the auto-secure lockdown so that's ok) and was wondering on the implications of denying all traffic to the interface which faces the Internet).  We don't run dynamic routing protocols and the router doesn't need to talk to anything else.  Should I put a deny any statement to the Internet facing interface address or would this cause problems?  I want to make sure that it can't be hacked.  I was wondering if there would be any icmp traffic that should be allowed for correct operation?

I know that I wouldn't be able to get ping replies unless I put an entry allowing echo-reply above the deny any rule so I'll probably do that so that I can ping from the router to the Internet, but I don't want to cause any problems by denying traffic.

I've had a look at the Cisco IOS lockdown doc but I'd also like to get other peoples' opinions.  Basically, do I need to allow any traffic to the Internet facing interface if I don't intend to manage it or access it from the Internet?  Should I maybe just allow all IP traffic from the next hop (the ISP's router) and icmp echo-replies from any and then block all other traffic to the interface?

Thanks,

Pete.

Pete

This a perfectly valid thing to want to do. Note that i'm assuming that your NAT/PAT is taking place on the firewall and not the router for obvious reasons.

You won't deny any traffic going to and from your internal network by restricting access to the actual router interface.

Jon

910
Views
0
Helpful
2
Replies
CreatePlease to create content