cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
0
Helpful
4
Replies

Securing VPN Router

saquib.tandel
Level 1
Level 1

Hello


I am looking for help in securing the VPN Box by allowing only VPN Traffic
rest all internet traffic should be blocked.

here is the configuration, can someone input.

###VPN Router###

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share

crypto isakmp key 2009CCIE address 5.5.5.5
crypto isakmp key 2009CCIE address 6.6.6.6

crypto ipsec transform-set VPN_A esp-3des esp-md5-hmac
crypto ipsec transform-set VPN_B esp-3des esp-md5-hmac

crypto map SEEDAR 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN_A
match address VPN_A


crypto map SEEDAR 15 ipsec-isakmp
set peer 6.6.6.6
set transform-set VPN_B
match address VPN_B


int fa 0/0
description # Connected to LAN #
ip address 192.168.1.1 255.255.255.252


int fa 0/1
description # Public IP #
ip address 10.10.10.10 255.255.255.248
crypto map SEEDAR


int tunnel 0
ip address 10.1.1.1 255.255.255.252
tunnel source fa 0/1
tunnel destination 5.5.5.5

int tunnel 1
ip address 10.10.10.1 255.255.255.252
tunnel source fa 0/1
tunnel destination 6.6.6.6


router ospf
network 10.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0


ip access-list extended VPN_A
permit gre host 10.10.10.10 host 5.5.5.5

ip access-list extended VPN_B
permit gre host 10.10.10.10 host 6.6.6.6

Thanks

ST

4 Replies 4

u1kumar2002
Level 1
Level 1

Hi,

     I would like to suggest you to configure QOS. In that you can match internet traffic and set a action as drop.

Sample Config:

Router(config)#class-map INTERNET

Router(config-cmap)#match protocol http

Router(config-cmap)#exi

Router(config)#policy-map BLOCK_INTERNET

Router(config-pmap)#class INTERNET

Router(config-pmap-c)#drop

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#

Router(config)#int fa0/0

Router(config-if)#service-policy output BLOCK_INTERNET

Router(config-if)#exit

Router(config)#

Do rate for helpful post....
Uttam

Hi

What if I only allow the remote peer public IP with an acl

access-list 10 permit 5.5.5.5

access-list 10 permit 6.6.6.6

access-list 10 permit 7.7.7.7

interface fa 0/1

ip access-group 10 in

My test on this slapped the VPN Tunnels, all went down.

Any input

Thanks

ST

ST

Are you sure that the tunnels were up and working before you did access list 10? From the little bit that you posted it looks to me like access list 10 should not have impacted the tunnels that you show in your original post. Did anything change other than creating and assigning access list 10?

HTH

Rick

HTH

Rick

Hi Rick

Service provider informed to change the mtu to 1450, after changing this parameter

Tunnels are up. Changes are SP backend caused this issue.

My question is : The applied ACL on interface fa 0/1 is ok to restrict all internet traffic except GRE IPSEC VPN

Thanks

ST

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: