I am entirely new to Cisco hardware and am slowly learning how to configure things via console. I have a 2911 running IOS 15.7.3. It's stock configuration with 3 GigabitEthernet interfaces. I also have a 4948 Switch. What I am wanting to do currently is Configure 1 Interface for WAN and use another to directly connect to my switch with OSPF and possibly do a vlan or two.
Before I connect to the internet I want to do a few things. I want to disable all remote management. ssh, telnet, http, etc. I setup through the "setup" wizard and believe everything is disabled but would like to disable any vector that would allow exploitation other than physically being connected to console.
I am familiar with pf and ufw as far as firewalls go and I am aware 99% of firewall issues are outbound traffic. but I would like to setup a block all incoming on WAN interface with some more information on possibly allowing certain traffic to certain ports on vlan ips.
Tutorials would be great. I want to deny all incoming traffic before I connect this to the internet.
Solved! Go to Solution.
I followed the tutorial. I didn't need the DMZ thought. I have some questions. Here is my config:
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE ! policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS inspect class class-default drop log policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS pass class class-default drop log ! zone security INSIDE zone security OUTSIDE zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY ! ! interface GigabitEthernet0/0 ip address dhcp no ip redirects no ip unreachables no ip proxy-arp zone-member security OUTSIDE no ip route-cache duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp zone-member security INSIDE no ip route-cache shutdown duplex auto speed auto no mop enabled ! ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ! ! access-list 100 permit udp any any eq bootpc !
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS pass
What's confusing me is this outside-to-inside-class? Shouldn't it be inspect and the other? Does this look like a good way to block all incoming connections on my wan port?
You can disable all interfaces except one from even responding to management traffic by using the management plane protection feature.
No management interfaces configured
(none of the things meme)
What are these things?
line con 0
line aux 0
line vty 0 4?
The various line commands are described in detail in this book excerpt:
Thank you for your help.
! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth transport output telnet line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 supersecurepassword login authentication local_auth transport input telnet !
I want to disable line 2 and vty but I'm not sure what they are. vty is any ip based service like telnet and ssh. but what is line 2?
At some point I want to use my aux port to link my router to my switch so I only have to use one console cable.