05-31-2010 12:44 AM - edited 03-04-2019 08:38 AM
Hi
router acting as VPN-Server and NAT is working great, looking at attach config do I require additional steps to secure the box.
===========================================================
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key Key111 address 196.88.1.10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 196.88.1.10
set transform-set myset
match address 101
!
!
!
interface Ethernet0/0
ip address 172.17.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1/0
ip address 100.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map myvpn
router ospf 1
log-adjacency-changes
network 172.17.1.1 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 100.1.1.254
!
ip http server
no ip http secure-server
ip nat inside source list 175 interface Ethernet1/0 overload
!
access-list 101 permit ip 172.17.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 175 deny ip 172.17.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 175 permit ip 172.17.1.0 0.0.0.255 any
05-31-2010 02:31 AM
I'm not a big fan of "ip http server" and if you have remote access to this box (telnet, ssh) I would recommend an ACL to limit the addresses which can access it. With ACL you also eliminate an DoS attack that can target your remote service ports (23 or 22).
Calin
05-31-2010 02:57 AM
For further security, you can configure CBAC or ZBFW (Zone Base Firewall).
CBAC is simpler, and here is the sample configuration:
OR/ ZBFW:
Hope that helps.
05-31-2010 04:52 AM
Thank you for useful links.
Can you help with links for these scenario
VPN_Router------------ASA------------Internet_Router=============INTERNET
05-31-2010 05:02 AM
In regards to your question 1 and 2, you can use either CBAC or ZBFW to lock the VPN router.
With your question 3, I suppose you mean GRE tunnel is terminated on the router, and ASA firewall terminated the LAN-to-LAN IPSec tunnel.
If that is what you are looking for, here is a sample configuration (GRE tunnel terminated on router, and LAN-to-LAN IPSec terminated on the firewall):
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
The sample configuration is on PIX firewall, however, the concept is the same. Majority of the commands are the same, with slight changes with ASA firewall with the tunnel-group configuration for the pre-shared key. Here is a sample LAN-to-LAN configuration on ASA for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
Hope that helps.
05-31-2010 07:48 AM
Thanks for replying.
P#3 scenario
(Site_A) VPN_Router------------ASA------------Internet_Router=============INTERNET=================VPN_RTR (SiteB)
On site_A, GRE Tunnel is on VPN _Router and ipsec on ASA ( I was looking for this scenario sample config )
06-01-2010 01:47 AM
Don't exactly have the sample config for just GRE tunnel on 1 router with ASA terminating the IPSec tunnel, and GRE over IPSec on the other router, but this is the sample configuration that you can use where the router is configured just for GRE tunnel, and PIX is configured to terminate the IPSec:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
The sample configuration is on PIX firewall, however, the concept is the same. Majority of the commands are the same, with slight changes with ASA firewall with the tunnel-group configuration for the pre-shared key. Here is a sample LAN-to-LAN configuration on ASA for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
And here is the config for your router that terminates GRE over IPSec:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml
Combination of the 3 sample configurations above will achieve what you would like to configure.
Hope that helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: