For each private subnet, add a permit rule, with the destination being the private
●
subnet, and the source being any. This traffic will be allowed only if it tunnels under the
VPN, because of the crypto-list.
Define all other traffic (default rule) as deny in order to protect the device from
●
non-secure traffic.
11. Define the Egress access control list to protect the device from sending traffic that is not
allowed to the public interface (optional):
Permit DNS traffic to allow clear (unencrypted) DNS traffic.
●
Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE).
●
Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC).
●
Permit ICMP traffic, to support PMTU application support, for a better fragmentation
●
process.
For each private subnet, add a permit rule, with the source being the private subnet,
●
and the destination being any.
Define all other traffic (default rule) as deny in order to protect the device from sending
●
non-secure traffic.
12. Activate the crypto-list, the Ingress access control list, and the Egress access control list,
on the public interface.
Typical installations
Issue 3 February 2007
513