Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures page 25
Aggregation services router
Hide thumbs
Also See for ASR 1000 Series:
- Software configuration manual (602 pages) ,
- Configuration manual (442 pages) ,
- Replacing (120 pages)
Table of Contents
Advertisement
o Destination Port
Traffic matching is done based on a top-down approach in the access list. The first entry that a
packet matches will be the one applied to it. The VPNGW EP requires that the TOE Access
control lists (ACLs) are to be configured to drop all packet flows as the default rule and that
traffic matching the acl be able to be logged. The drop all default rule can be achieved by
including an ACL rule to drop all packets as the last rule in the ACL configuration. The logging
of matching traffic is done by appending the key word "log-input" per the command reference at
the end of the acl statements, as done below.
A privileged authorized administrator may manipulate the ACLs using the commands ip inspect,
access-list, crypto map, and access-group as described in [10]
Access lists must be configured on the TOE to meet the requirements of the VPN Gateway
Extended Package.
Note: These access lists must be integrated with the defined security policy for your TOE
router. Enabling just these access lists with no permits will result in traffic being dropped.
Ensure that your access list entries are inserted above the default deny acl.
In this example, we are assuming that interface GigabitEthernet0/0 is the external interface, and
is assigned an IP address of 10.200.1.1. Interface GigabitEthernet0/1 is the internal interface and
is assigned an IP address of 10.100.1.1.
If remote administration is required, ssh has to be explicitly allowed through either the internal or
external interfaces.
TOE-common-criteria# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
TOE-common-criteria(config)# access-list 199 permit tcp host 10.200.0.1 host
10.200.0.1 eq 22 log-input
To log connections to the Certificate Authority, implement the following acl:.
TOE-common-criteria(config)# access-list 100 permit ip any host [IP of CA] log-
input
TOE-common-criteria(config)# access-list 199 permit ip any host [IP of CA] log-
input
To close ports that don't need to be open and may introduce additional vulnerabilities,
implement the following acl:.
TOE-common-criteria(config)# access-list 100 deny 132 any any log-input
TOE-common-criteria(config)# access-list 199 deny 132 any any log-input
To explicitly create the default deny acl for traffic with no other match, implement the following
acl:.
TOE-common-criteria(config)# access-list 100 deny any any log-input
TOE-common-criteria(config)# access-list 199 deny any any log-input
Page 25 of 72
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco ASR 1000 Series
Related Products for Cisco ASR 1000 Series
- Cisco ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router
- Cisco ASR1000-RP2 - ASR 1000 Series Route Processor 2 Router
- Cisco ASR-1000-SIP10
- Cisco ASR1002-5G-SEC/K9 - ASR 1002 VPN+FW Bundle Router
- Cisco ASR1002-5G-SHA/K9 - ASR 1002 Sec+HA Bundle Router
- Cisco ASR1004-10G-SHA/K9 - ASR 1004 Sec+HA Bundle Router
- Cisco ASR1004-20G-SEC/K9 - ASR 1004 VPN+FW Bundle Router
- Cisco ASR1006-10G-SEC/K9 - ASR 1006 VPN+FW Bundle Router
- Cisco ASR1006-10G-VPN/K9 - ASR 1006 VPN Bundle Router
- Cisco ASR1006-10G-SHA/K9 - ASR 1006 Sec+HA Bundle Router
- Cisco ASR1006-10G-HA/K9 - ASR 1006 HA Bundle Router
- Cisco ASR1004-10G/K9 - ASR 1004 Router
- Cisco ASR1006 - ASR 1006 Modular Expansion Base
- Cisco ASR 1002-F
- Cisco ASR 1002-RP1
- Cisco ASR 1002-RP2