cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5824
Views
20
Helpful
13
Replies

How to disable services on a Specific Interface?

Spork Schivago
Level 1
Level 1

Hi!   I have a Cisco C1111-8PW router.   I just noticed the services, such as telnet, are accessible from the outside world.

I do not want that.   I do not want any access to those services, such as telnet, ssh, ftp, web server management interface, etc from the outside world.

I think ACLs are how I can block access, but I am not very familiar with ACLs.   Is this the correct way to go or is there another way to disable those services?   The interface facing the outside world is interface GigabitEthernet 0/0/0.

I want certain services, such as ssh, accessible only from maybe a certain private IP or a private network address (such as 192.168.1.3 or 192.168.1.0 (for the entire private network)).

 

I have tried to disable telnet like this:

Router01#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router01(config)#ip access-list ex no_telnet
Router01(config-ext-nacl)#deny tcp any any eq telnet
Router01(config-ext-nacl)#exit
Router01(config)#exit
Router01#show ip access-lists
Extended IP access list 100
10 permit udp any any eq bootpc
Extended IP access list no_telnet
10 deny tcp any any eq telnet
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet (68 matches)
20 deny tcp any any eq www (5 matches)
30 deny tcp any any eq 22 (72 matches)
40 permit ip any any

However, I am still able to telnet to the public IP address that the router has been assigned.


Thanks!

1 Accepted Solution

Accepted Solutions

luis_cordova
VIP Alumni
VIP Alumni

Hi @Spork Schivago,

 

Query:
Did you apply the ACL in the interface GigabitEthernet 0/0/0?

Did you apply the ACL on the VTY lines?

 

Regards

View solution in original post

13 Replies 13

Spork Schivago
Level 1
Level 1

I noticed the access-lists already included a line that, to me, looks like it blocks telnet, ssh, and access to the web based management from the outside world, but for whatever reasons, they do not appear to be working like I would think they would work.

I can still telnet from the outside world to the public IP address of the router.   I have removed my duplicate rule, the no_telenet one, but can still telnet (regardless of whether that extended access list that I created was there or not).   This has me very much worried.

luis_cordova
VIP Alumni
VIP Alumni

Hi @Spork Schivago,

 

Query:
Did you apply the ACL in the interface GigabitEthernet 0/0/0?

Did you apply the ACL on the VTY lines?

 

Regards

Thank you for the quick response.

I do not think I did apply the ACL to the GigabitEthernet 0/0/0 interface, and to the VTY lines.   How do I do that?   I will try figuring it out.

I know I went into the GigabitEthernet 0/0/0 interface config part, and tried ip access-lists, but that wasn't an available command.   I thought that was how I would apply it to the GigabitEthernet 0/0/0 interface.

I also, since my original post, learned what the sf_def_ACL was, and I re-created my no_telnet service ACL.

Thanks!

@luis_cordova,

I believe I applied it to the VTY interfaces now.   I went back to my ACL list, called NO_OUTFACING_SERVICES and added this:

 

line vty 0 4
access-class NO_OUTFACING_SERVICES in vrf-also

My understanding, which might be outdated now or wrong, was the VTY lines are only for telnet.   Right now, I'm trying to shut down all outside access to the router's services.   I have a permanent link to the console port and I think I will only use that, but I might also want to check out that web interface that is used to configure routers.   So I think I will modify the ACL to allow a certain private IP only.

Hi @Spork Schivago,

 

I'll show you an example of ACL configuration for VTY lines:

 

access-list 1 permit 192.168.1.0 0.0.0.255 <-this line allows the internal network that you mentioned

access-list 1 deny any

!

 

 

line vty 0 4

access-class 1 in

login local

 

Regards

 

@luis_cordova,

 

Okay, thank you.

 

I have some questions now.   I did apply to the interface GigabitEthernet 0/0/0 as well.   I typed this:

 

ip access-group NO_OUTFACING_SERVICES in

Now, my questions.   With your command, you have the login local.   Why is that needed?   I still have console access without the login local, right?   I am trying to understand a bit better what exactly is going on.   I understand the ACL line and the mask you used.   I understand why that allows the private network but no one else.   I understand how ACLs are applied in order, much like the iptables rules in Linux.

 

I am a little confused why I had to apply the ACL to the VTY lines and the GigabitEthernet 0/0/0 interface.   I think the VTY lines are confusing me a little.   Does the VTY lines apply to the local console port on the router itself, the one where I plug an RJ45 to DB9 console adapter into it?

I am also trying to think what other services there are on the GigabitEthernet 0/0/0 and VTY lines that I should disable.   I believe SNMP is one, SSH is another, the web server is one, maybe TFTP.   I was a bit confused as to how I could type interface GigabitEthernet 0/0/0 when I was editing the ACL list and why I could type line vty 0 4 while I was editing the ACL list.   The ? didn't show them as various options.   I believe typing line vty 0 4 while I was editing the ACL would be equivalent to leaving the ACL list and typing it while I was in the config t part, is that correct?

Thanks for the help!

Hi @Spork Schivago,

 

With your command, you have the login local.   Why is that needed? 

The local login command is not necessary for ACLs.
This command means that people who connect remotely, must log in locally, having to enter their username and password.

 

I am a little confused why I had to apply the ACL to the VTY lines and the GigabitEthernet 0/0/0 interface.

To block the remote connections, by Telnet or SSH, it is only necessary to apply the ACL in the VTY lines.

 

Does the VTY lines apply to the local console port on the router itself, the one where I plug an RJ45 to DB9 console adapter into it?

No, VTY lines only apply to remote connections, no to the console line.

 

I am also trying to think what other services there are on the GigabitEthernet 0/0/0 and VTY lines that I should disable.

One of the functions of NAT is to provide a certain type of security by preventing external networks from accessing services mounted on private networks.

So if you already have NAT configured, it would not be necessary to add ACLs to filter external connections to your internal services.

It would only be necessary to block services if they are configured in your border router.

 

Regards

 

@luis_cordova,

Thank you for that explanation, it really clears up some stuff.   It seems I cannot type the login local command when I'm in the line vty 0 4

 

I have these options for the login command:

login ?
  authentication  Authentication parameters.

login authentication ?
  WORD     Use an authentication list with this name.
  default  Use the default authentication list.

I'm wondering if this is a list of the usernames that can login?   I see no login local option though.

I believe I have configured NAT successfully, on the outside and inside facing interfaces.   What I meant by the services that should be blocked was the various services running on that border router.

I was thinking perhaps it's better to have an ACL that only allows certain traffic and block everything else, versus blocking the individual services (such as telnet, SSH, web server that runs on the router, etc).

I am not sure if that would be the best idea though.   Some sites I go to have services that run on special ports.

I believe this is the proper command to see what ports the router will accept connections on, and included is the results of the output from the command.

router01#show ip ports all
Proto Local Address               Foreign Address             State       PID/Program Name

TCB       Local Address               Foreign Address             (state)
tcp   :::80                      :::*                        LISTEN      306/[IOS]HTTP CORE
tcp   *:80                       *:*                         LISTEN      306/[IOS]HTTP CORE
tcp   :::443                     :::*                        LISTEN      306/[IOS]HTTP CORE
tcp   *:443                      *:*                         LISTEN      306/[IOS]HTTP CORE

To me, this looks like it's accepting incoming connections from the world on ports 80 and 443, yet, when I attempt to access port 80 or 443 from the outside world, nothing appears.   I check the running-config, and I do see this:

!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 <gateway IP address> name ETC-BLK2
ip ssh time-out 60
ip ssh authentication-retries 2
!

So to me, that means a web server is running and it's running on port 80 and port 443.   I checked what the ip http authentication local does, and I see this:

 

Indicates that the login user name, password and privilege level access combination specified in the local system configuration (by the username global configuration command) should be used for authentication and authorization.

I believe that just means it'll use the same username and password and access level that I use to login to the router via the console port, for web based authentication.   I am glad I cannot access the web interface from the outside world, but I'm not understanding why I cannot.   I currently only have it setup to block telnet with my ACL.

Hi @Spork Schivago,

 

In your case, you could leave the login command alone.
The login authentication command is related to AAA authentication, through a RADIUS or TACACS server.
As I understand it, the web interface works using a remote connection, so if you block those connections with the ACL on the VTY lines, you are also blocking the interface web.

 

Regards

@luis_cordova,

That's where my confusion comes from, I am not blocking anything except telnet with the ACL on any lines.   I am currently only blocking telnet on the VTY and GigabitEthernet 0/0/0 and GigabitEthernet 0/0/1 interfaces.

Here's my current ACL.

Extended IP access list 100
    10 permit udp any any eq bootpc
Extended IP access list NO_OUTFACING_SERVICES
    10 deny tcp any any eq telnet (24 matches)
Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet (77 matches)
    20 deny tcp any any eq www (5 matches)
    30 deny tcp any any eq 22 (74 matches)
    40 permit ip any any



A bit unrelated though, I have a transceiver plugged into this router and I noticed when removed, it shows the transceiver is removed from GigabitEthernet 0/0/0 interface.   Is there a way to assign that transceiver to the GigabitEthernet 0/0/1 interface?

I want to use the sfp ports to connect my switch to my router.   I wonder if I just configure GigabitEthernet 0/0/1's media type to sfp, if that would work.   If not, I will have to switch my WAN connection to interface GigabitEthernet 0/0/1, and just use the GigabitEthernet 0/0/0 interface for the transceiver.

Hi @Spork Schivag,

 

To block access to Telnet and SSH, you only need to apply the ACL on the VTY lines.

Remove the ACL application from the G0/0/x interfaces.

 

Is there a way to assign that transceiver to the GigabitEthernet 0/0/1 interface?

The only way to do this is change the interface cable physically.

 

Regards

I believe I'm almost good now.   I can access the web server now, but through the public IP.

For the WWW services, I would want to block them on the GigabitEthernet interface and not the VTY lines, right?

I believe I'm good.   I blocked port 80 and port 443 on the VTY lines and could still access the router's web management page, but I do not believe a VTY line would be used for that.   I set the ACL on the GigabitEthernet interface and it's blocked now. 

I will have to do some tests when I finish configuring the other interfaces, and make sure I'm not blocking regular http / https traffic.   If I am, I will try using that ip address and mask for the ACL and see how I make out.  At least for now, things look good.

Thanks for all the help!!!!!

Review Cisco Networking for a $25 gift card