Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1441
Views
0
Helpful
2
Replies

ACL on Border Router

Peter.D.Brown
Level 1
Level 1

‎01-11-2010 03:58 AM - edited ‎03-04-2019 07:10 AM

Hello,

I've just set up a Cisco 2811 router which is connected to the Internet.  I've got a firewall behind it to protect the network.

I've set up an access list on the interface which faces the Internet with some basic configuration (deny local addresses inbound to any, deny our public range inbound to any).

I want to make sure that the router itself is secure (I've run the auto-secure lockdown so that's ok) and was wondering on the implications of denying all traffic to the interface which faces the Internet).  We don't run dynamic routing protocols and the router doesn't need to talk to anything else.  Should I put a deny any statement to the Internet facing interface address or would this cause problems?  I want to make sure that it can't be hacked.  I was wondering if there would be any icmp traffic that should be allowed for correct operation?

I know that I wouldn't be able to get ping replies unless I put an entry allowing echo-reply above the deny any rule so I'll probably do that so that I can ping from the router to the Internet, but I don't want to cause any problems by denying traffic.

I've had a look at the Cisco IOS lockdown doc but I'd also like to get other peoples' opinions.  Basically, do I need to allow any traffic to the Internet facing interface if I don't intend to manage it or access it from the Internet?  Should I maybe just allow all IP traffic from the next hop (the ISP's router) and icmp echo-replies from any and then block all other traffic to the interface?

Thanks,

Pete.

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-11-2010 09:36 AM

Hello Pete,

>>  was wondering if there would be any icmp traffic that should be allowed for correct operation?

yes this is somewhat needed if you want to be able to test IP connectivity on WAN link.

As a form of  protection from attacks involving the use of many ICMP packets (ICMP flooding should be the attack  name) you can implement a CAR  rule to limit the amount of ICMP traffic accepted on the interface (or you can use modular QoS with police action to be more current)

I tested this for a customer some years ago and I was able to tune CAR parameters so that basic ping  test works but extended ping with big packets sees part of packets dropped.

Hope to help

Giuseppe

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎01-11-2010 09:39 AM 

Peter.D.Brown wrote:
Hello,
I've just set up a Cisco 2811 router which is connected to the Internet.  I've got a firewall behind it to protect the network.
I've set up an access list on the interface which faces the Internet with some basic configuration (deny local addresses inbound to any, deny our public range inbound to any).
I want to make sure that the router itself is secure (I've run the auto-secure lockdown so that's ok) and was wondering on the implications of denying all traffic to the interface which faces the Internet).  We don't run dynamic routing protocols and the router doesn't need to talk to anything else.  Should I put a deny any statement to the Internet facing interface address or would this cause problems?  I want to make sure that it can't be hacked.  I was wondering if there would be any icmp traffic that should be allowed for correct operation?
I know that I wouldn't be able to get ping replies unless I put an entry allowing echo-reply above the deny any rule so I'll probably do that so that I can ping from the router to the Internet, but I don't want to cause any problems by denying traffic.
I've had a look at the Cisco IOS lockdown doc but I'd also like to get other peoples' opinions.  Basically, do I need to allow any traffic to the Internet facing interface if I don't intend to manage it or access it from the Internet?  Should I maybe just allow all IP traffic from the next hop (the ISP's router) and icmp echo-replies from any and then block all other traffic to the interface?
Thanks,
Pete.

Pete

This a perfectly valid thing to want to do. Note that i'm assuming that your NAT/PAT is taking place on the firewall and not the router for obvious reasons.

You won't deny any traffic going to and from your internal network by restricting access to the actual router interface.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card