Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Invisible Router Interface

I'm interested in learning how to make a router interface as secure as possible. For example, consider a router whose main function is to connect a branch to an MPLS WAN, but also has a cable modem on Fa0/1 used for a VPN tunnel when the WAN goes down. I'd like Fa0/1 to be essentially invisible on the Internet, only permitting the required traffic for the VPN tunnel. To be clear, this discussion will not apply to 99% of routers, just to very special-purpose interfaces.

Here's what I've come up with. 169.254.0.1 is a placeholder for the local router's Internet IP address, and 169.254.111.111 is a placeholder for the remote router's Internet IP address:

ip access-list extended internet-in

deny ip any any option any-options

permit ip host 169.254.111.111 host 169.254.0.1

permit icmp any host 169.254.0.1 packet-too-big

ip access-list extended internet-out

deny ip any any option any-options

permit ip host 169.254.0.1 host 169.254.111.111

interface FastEthernet0/1

ip address 169.254.0.1 255.255.0.0

ip access-group internet-in in

ip access-group internet-out out

no ip unreachables

no ip proxy-arp

no cdp enable

(if anyone knows how to get indents to stick, let me know and I'll fix it)

  • IP options are blocked to prevent spoofed source-routed packets from tunneling through the ACLs.
  • I just permit the bidirectional traffic based on IP address for now, but may lock it down to certain protocol numbers eventually.
  • PMTUD packets are speficially permitted from any source.
  • I want to be invisible to a port scan, so I disable IP unreachables.
  • Disabling proxy ARP and CDP are probably the least important, since they only impact the local subnet. But they both can leak information about the inside subnets.
  • There are a few commands I intentionally left out, because the strict ingress filtering makes them irrelevant. (e.g. disabling snmp)


My main concern with this is that I have no way of knowing what else I might be missing. It would be good if there were a Cisco document that documented this scenario. (I basically would like to see an official template of how to make an "invisible" interface, and then backtrack from there.) I was told that creating a post here was the best way of getting to the right people.

Are there any other commands that I should add? Is there a simpler or more foolproof way of doing this? The main thing I don't like about it is that the ACL does not apply to traffic originating from the router itself. (And I don't know exactly what that means either.) One misconfiguration (e.g. enabling RIP) could cause the router itself to start sending unwanted traffic out the interface. I'd like it if I could tell the router to enable the egress filtering even for traffic originating from the router. Then I wouldn't have to worry about figuring out all the protocols that could be active on the interface, disabling them individually.

Or maybe there is an existing Cisco document explaining this scenario?

Everyone's tags (2)
1 REPLY
Hall of Fame Super Gold

Re: Invisible Router Interface

permit ip host 169.254.111.111 host 169.254.0.1

permit icmp any host 169.254.0.1 packet-too-big

permit ip host 169.254.0.1 host 169.254.111.111

ip address 169.254.0.1 255.255.0.0

169.254.X.X???   Seriously???

747
Views
0
Helpful
1
Replies
CreatePlease to create content