Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VPN Security

Hi

router acting as VPN-Server and NAT is working great, looking at attach config do I require additional steps to secure the box.

===========================================================


crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key Key111 address 196.88.1.10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 196.88.1.10
set transform-set myset

match address 101
!
!
!
interface Ethernet0/0
ip address 172.17.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1/0
ip address 100.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map myvpn

router ospf 1
log-adjacency-changes
network 172.17.1.1 0.0.0.0 area 0
!

ip classless
ip route 0.0.0.0 0.0.0.0 100.1.1.254
!
ip http server
no ip http secure-server

ip nat inside source list 175 interface Ethernet1/0 overload
!


access-list 101 permit ip 172.17.1.0 0.0.0.255 10.1.1.0 0.0.0.255


access-list 175 deny   ip 172.17.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 175 permit ip 172.17.1.0 0.0.0.255 any

6 REPLIES

Re: VPN Security

I'm not a big fan of "ip http server" and if you have remote access to this box (telnet, ssh) I would recommend an ACL to limit the addresses which can access it. With ACL you also eliminate an DoS attack that can target your remote service ports (23 or 22).

Calin

Cisco Employee
New Member

Re: VPN Security

Thank you for useful links.

Can you help with links for these scenario

  1. Locking VPN router with security parameter ( Router is dedicated for site - to- siteVPN )
  2. Locking Router with security parameter for Remote_Access_VPN
  3. Placing ASA before VPN router ; encryption on ASA and tunnel on router

VPN_Router------------ASA------------Internet_Router=============INTERNET

Cisco Employee

Re: VPN Security

In regards to your question 1 and 2, you can use either CBAC or ZBFW to lock the VPN router.

With your question 3, I suppose you mean GRE tunnel is terminated on the router, and ASA firewall terminated the LAN-to-LAN IPSec tunnel.

If that is what you are looking for, here is a sample configuration (GRE tunnel terminated on router, and LAN-to-LAN IPSec terminated on the firewall):

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

The sample configuration is on PIX firewall, however, the concept is the same. Majority of the commands are the same, with slight changes with ASA firewall with the tunnel-group configuration for the pre-shared key. Here is a sample LAN-to-LAN configuration on ASA for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Hope that helps.

New Member

Re: VPN Security

Thanks for replying.

P#3 scenario

(Site_A) VPN_Router------------ASA------------Internet_Router=============INTERNET=================VPN_RTR (SiteB)

On site_A, GRE Tunnel is on VPN _Router and ipsec on ASA   ( I was looking for this scenario sample config )

Cisco Employee

Re: VPN Security

Don't exactly have the sample config for just GRE tunnel on 1 router with ASA terminating the IPSec tunnel, and GRE over IPSec on the other router, but this is the sample configuration that you can use where the router is configured just for GRE tunnel, and PIX is configured to terminate the IPSec:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

The sample configuration is on PIX firewall, however, the concept is  the same. Majority of the commands are the same, with slight changes  with ASA firewall with the tunnel-group configuration for the pre-shared  key. Here is a sample LAN-to-LAN configuration on ASA for your  reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

And here is the config for your router that terminates GRE over IPSec:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

Combination of the 3 sample configurations above will achieve what you would like to configure.

Hope that helps.

225
Views
0
Helpful
6
Replies
CreatePlease to create content