Rule ID
SV-216757r1117237_rule
Version
V3R3
CCIs
ISPs use BGP to share route information with other autonomous systems (i.e. other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRnet routes could be advertised to the ISP, thereby creating a backdoor connection from the Internet to the NIPRnet.
This requirement is not applicable for the DODIN Backbone. Step 1: Configure the ingress ACL of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below. RP/0/0/CPU0:R2(config)#ip access-list ISP_ACL_INBOUND RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any any established RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo-reply RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.22 eq www RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.23 eq www RP/0/0/CPU0:R2(config-ipv4-acl)# permit 50 any host x.12.1.24 RP/0/0/CPU0:R2(config-ipv4-acl)# permit 51 any host x.12.1.24 RP/0/0/CPU0:R2(config-ipv4-acl)# deny ip any any log-input RP/0/0/CPU0:R2(config-ipv4-acl)#end Step 2: Apply the ACL inbound on the ISP-facing interface. RP/0/0/CPU0:R3(config)#int g0/0/0/2 RP/0/0/CPU0:R3(config-if)#ipv4 access-group ISP_ACL_INBOUND in RP/0/0/CPU0:R3(config-if)#end If any BGP neighbors belonging to the alternate gateway service provider exist, this is a finding.
This requirement is not applicable for the DODIN Backbone. Remove any BGP neighbors belonging to the alternate gateway service provider and configure a static route to forward Internet bound traffic to the alternate gateway as shown in the example below. R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14