08-09-2010 05:45 AM - edited 03-04-2019 09:21 AM
Hello
I am looking for help in securing the VPN Box by allowing only VPN Traffic
rest all internet traffic should be blocked.
here is the configuration, can someone input.
###VPN Router###
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 2009CCIE address 5.5.5.5
crypto isakmp key 2009CCIE address 6.6.6.6
crypto ipsec transform-set VPN_A esp-3des esp-md5-hmac
crypto ipsec transform-set VPN_B esp-3des esp-md5-hmac
crypto map SEEDAR 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN_A
match address VPN_A
crypto map SEEDAR 15 ipsec-isakmp
set peer 6.6.6.6
set transform-set VPN_B
match address VPN_B
int fa 0/0
description # Connected to LAN #
ip address 192.168.1.1 255.255.255.252
int fa 0/1
description # Public IP #
ip address 10.10.10.10 255.255.255.248
crypto map SEEDAR
int tunnel 0
ip address 10.1.1.1 255.255.255.252
tunnel source fa 0/1
tunnel destination 5.5.5.5
int tunnel 1
ip address 10.10.10.1 255.255.255.252
tunnel source fa 0/1
tunnel destination 6.6.6.6
router ospf
network 10.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
ip access-list extended VPN_A
permit gre host 10.10.10.10 host 5.5.5.5
ip access-list extended VPN_B
permit gre host 10.10.10.10 host 6.6.6.6
Thanks
ST
08-09-2010 10:49 AM
Hi,
I would like to suggest you to configure QOS. In that you can match internet traffic and set a action as drop.
Sample Config:
Router(config)#class-map INTERNET
Router(config-cmap)#match protocol http
Router(config-cmap)#exi
Router(config)#policy-map BLOCK_INTERNET
Router(config-pmap)#class INTERNET
Router(config-pmap-c)#drop
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#
Router(config)#int fa0/0
Router(config-if)#service-policy output BLOCK_INTERNET
Router(config-if)#exit
Router(config)#
08-09-2010 12:12 PM
Hi
What if I only allow the remote peer public IP with an acl
access-list 10 permit 5.5.5.5
access-list 10 permit 6.6.6.6
access-list 10 permit 7.7.7.7
interface fa 0/1
ip access-group 10 in
My test on this slapped the VPN Tunnels, all went down.
Any input
Thanks
ST
08-10-2010 10:52 AM
ST
Are you sure that the tunnels were up and working before you did access list 10? From the little bit that you posted it looks to me like access list 10 should not have impacted the tunnels that you show in your original post. Did anything change other than creating and assigning access list 10?
HTH
Rick
08-10-2010 01:16 PM
Hi Rick
Service provider informed to change the mtu to 1450, after changing this parameter
Tunnels are up. Changes are SP backend caused this issue.
My question is : The applied ACL on interface fa 0/1 is ok to restrict all internet traffic except GRE IPSEC VPN
Thanks
ST
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: