Cisco 891 and Stealth Firewall

CTS-Tech1 — Tue, 12 Mar 2019 04:00:58 GMT

How can I configure the Cisco 891 to have Stealth ports on the GRC Shields Up test ?

https://www.grc.com/shieldsup

You need to configure either

Marius Gunnerud — Tue, 01 Apr 2014 12:46:39 GMT

You need to configure either CBAC or ZBFW on your router.

CBAC - http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html

ZBFW - http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

CBAC would be the easier configuration out of the two, but it is an older implementation. ZBFW is the new standard for IOS firewall, but can be quite complicated if you do not understand how it works.

Please remember to rate and select a correct answer

I already had Cisco Support

CTS-Tech1 — Tue, 01 Apr 2014 15:39:23 GMT

I already had Cisco Support create, enable and verify the Zone Based Firewall. The GRC Shields Up test still reports the ports as "closed" or "open" - no "stealth".

Could you post a full running

Marius Gunnerud — Wed, 02 Apr 2014 06:39:23 GMT

Could you post a full running config (sanitised) of the router please.

Please remember to rate and select a correct answer

CVACISCO891#sh runBuilding

CTS-Tech1 — Fri, 04 Apr 2014 21:00:02 GMT

CISCO891#sh run
Building configuration...

Current configuration : 7694 bytes
!
! Last configuration change at 20:49:10 UTC Mon Mar 31 2014 by xxxxxxxx
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxx
!
boot-start-marker
boot system flash:c890-universalk9-mz.154-1.T1.bin
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-913463742
--More-- enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-913463742
revocation-check none
rsakeypair TP-self-signed-913463742
!
!
crypto pki certificate chain TP-self-signed-913463742
certificate self-signed 01
3082024B
quit
!
!
!
!
!
!

ip port-map http port tcp 20000
ip port-map user-protocol--2 port tcp 3389
ip port-map user-protocol--3 port tcp 5900
!
!
!
!
no ip domain lookup
ip domain name xxxxxxxx
ip name-server 192.168.1.24
--More--         ip name-server 208.67.220.220
ip inspect log drop-pkt
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn xxxxxxxxxxxx
!
!
--More--
!
redundancy
!
!
!
!
no cdp run
!
no ip ftp passive
!
class-map type inspect match-any outbound
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any inbound
match access-group name inbound
!
policy-map type inspect outbound
--More--          class type inspect outbound
inspect
class class-default
drop
policy-map type inspect inbound
class type inspect inbound
inspect
class class-default
drop
!
zone security outzone
zone security inzone
zone-pair security outbound source inzone destination outzone
service-policy type inspect outbound
zone-pair security outzone source outzone destination inzone
service-policy type inspect inbound
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
!
--More--         crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxx address xxxxxxxxxxx no-xauth
!
!
crypto ipsec transform-set ESP/AES-128/MD5 esp-aes esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxxxxxxxxxxx
set peer xxxxxxxxxxxx
--More--          set transform-set ESP/AES-128/MD5
match address 100
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
--More--          no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description TWTELECOM$FW_OUTSIDE$$ETH-WAN$
ip address xxxxxxxxxxx 255.255.255.0
ip nat outside
ip virtual-reassembly in
zone-member security outzone
duplex full
speed 100
crypto map SDM_CMAP_1
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
--More--         !
interface Vlan1
description vlanrouterswitch$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inzone
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http port 20000
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.24 25 interface FastEthernet8 25
--More--         ip nat inside source static tcp 192.168.1.24 80 interface FastEthernet8 80
ip nat inside source static tcp 192.168.1.24 443 interface FastEthernet8 443
ip nat inside source static tcp 192.168.1.243 5900 interface FastEthernet8 5900
ip nat inside source static tcp 192.168.1.20 3389 interface FastEthernet8 3390
ip nat inside source static tcp 192.168.1.25 3389 interface FastEthernet8 3389
ip nat inside source static tcp 192.168.1.36 2021 interface FastEthernet8 2021
ip nat inside source static tcp 192.168.1.36 2022 interface FastEthernet8 2022
ip nat inside source route-map TWTELECOM interface FastEthernet8 overload
ip nat inside source static tcp 192.168.1.37 443 xxxxxxxxxxxx 443 extendable
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx 5
!
ip access-list extended inbound
permit tcp any host 192.168.1.24 eq smtp
permit tcp any host 192.168.1.24 eq www
permit tcp any host 192.168.1.24 eq 443
permit tcp any host 192.168.1.243 eq 5900
permit tcp any host 192.168.1.20 eq 3390
permit tcp any host 192.168.1.25 eq 3389
permit tcp any host 192.168.1.36 eq 2021
permit tcp any host 192.168.1.36 eq 2022
permit tcp any host 192.168.1.37 eq 443
permit tcp any host 192.168.1.20 eq 3389
!
--More--         !
route-map TWTELECOM permit 10
match ip address 101
match interface FastEthernet8
!
snmp-server community public RO
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 host xxxxxxxxxxxx
access-list 101 remark CCP_ACL Category=18
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 host xxxxxxxxxxxxxx
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit tcp host 192.168.1.24 eq 443 host xxxxxxxxxxxxxx
access-list 150 permit tcp host xxxxxxxxxxxxx host 192.168.1.24 eq 443
access-list 150 permit tcp host 192.168.1.37 eq 443 host xxxxxxxxxxxxxx
access-list 150 permit tcp host xxxxxxxxxxxxx host 192.168.1.37 eq 443
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
--More--         mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
!
line con 0
login local
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 103 in
privilege level 15
--More--          login local
transport input telnet ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

From which IP are you testing

Marius Gunnerud — Sat, 05 Apr 2014 13:32:55 GMT

From which IP are you testing from?

Please remember to rate and select a correct answer

An internal LAN IP on the 192

CTS-Tech1 — Mon, 07 Apr 2014 14:42:38 GMT

An internal LAN IP on the 192.168.1.x network.

Well, the config looks fine,

Marius Gunnerud — Tue, 08 Apr 2014 06:41:53 GMT

Well, the config looks fine, so I am not sure why it is not showing as stealth. Depending on how adventurous you want to get with this, you could try removing the config that matches the inbound ACL and see if it then shows as stealth. But do so at your own risk...if you are not very familiar with ZBF that is.

Please remember to rate and select a correct answer

topic CVACISCO891#sh runBuilding in Network Security

Cisco 891 and Stealth Firewall

You need to configure either

I already had Cisco Support

Could you post a full running

CVACISCO891#sh runBuilding

From which IP are you testing

An internal LAN IP on the 192

Well, the config looks fine,