Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1378
Views
0
Helpful
7
Replies

Cisco 891 and Stealth Firewall

CTS-Tech1
Level 1
Level 1

‎03-31-2014 02:08 PM - edited ‎03-11-2019 09:00 PM

How can I configure the Cisco 891 to have Stealth ports on the GRC Shields Up test ?

https://www.grc.com/shieldsup

Labels:
0 Helpful
7 Replies 7

Marius Gunnerud
VIP
VIP

‎04-01-2014 05:46 AM

You need to configure either CBAC or ZBFW on your router.

CBAC - http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html

ZBFW - http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

CBAC would be the easier configuration out of the two, but it is an older implementation.  ZBFW is the new standard for IOS firewall, but can be quite complicated if you do not understand how it works.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

CTS-Tech1
Level 1
Level 1
In response to Marius Gunnerud

‎04-01-2014 08:39 AM

I already had Cisco Support create, enable and verify the Zone Based Firewall.  The GRC Shields Up test still reports the ports as "closed" or "open" - no "stealth".

0 Helpful

Marius Gunnerud
VIP
VIP
In response to CTS-Tech1

‎04-01-2014 11:39 PM

Could you post a full running config (sanitised) of the router please.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

CTS-Tech1
Level 1
Level 1
In response to Marius Gunnerud

‎04-04-2014 02:00 PM

CISCO891#sh run
Building configuration...

Current configuration : 7694 bytes
!
! Last configuration change at 20:49:10 UTC Mon Mar 31 2014 by xxxxxxxx
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxx
!
boot-start-marker
boot system flash:c890-universalk9-mz.154-1.T1.bin
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-913463742
 --More--          enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-913463742
 revocation-check none
 rsakeypair TP-self-signed-913463742
!
!
crypto pki certificate chain TP-self-signed-913463742
 certificate self-signed 01
  3082024B
  quit
!
!
!
!
!
!


ip port-map http port tcp 20000
ip port-map user-protocol--2 port tcp 3389
ip port-map user-protocol--3 port tcp 5900
!
!
!
!
no ip domain lookup
ip domain name xxxxxxxx
ip name-server 192.168.1.24
 --More--         ip name-server 208.67.220.220
ip inspect log drop-pkt
ip cef
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn xxxxxxxxxxxx
!
!
 --More--    
!
redundancy
!
!
!
!
no cdp run
!
no ip ftp passive
!
class-map type inspect match-any outbound
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any inbound
 match access-group name inbound
!
policy-map type inspect outbound
 --More--          class type inspect outbound
  inspect
 class class-default
  drop
policy-map type inspect inbound
 class type inspect inbound
  inspect
 class class-default
  drop
!
zone security outzone
zone security inzone
zone-pair security outbound source inzone destination outzone
 service-policy type inspect outbound
zone-pair security outzone source outzone destination inzone
 service-policy type inspect inbound
!
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
!
 --More--         crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxx address xxxxxxxxxxx   no-xauth
!
!
crypto ipsec transform-set ESP/AES-128/MD5 esp-aes esp-md5-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel toxxxxxxxxxxx
 set peer xxxxxxxxxxxx
 --More--          set transform-set ESP/AES-128/MD5
 match address 100
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 --More--          no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 description TWTELECOM$FW_OUTSIDE$$ETH-WAN$
 ip address xxxxxxxxxxx 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 zone-member security outzone
 duplex full
 speed 100
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
 --More--         !
interface Vlan1
 description vlanrouterswitch$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security inzone
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http port 20000
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.24 25 interface FastEthernet8 25
 --More--         ip nat inside source static tcp 192.168.1.24 80 interface FastEthernet8 80
ip nat inside source static tcp 192.168.1.24 443 interface FastEthernet8 443
ip nat inside source static tcp 192.168.1.243 5900 interface FastEthernet8 5900
ip nat inside source static tcp 192.168.1.20 3389 interface FastEthernet8 3390
ip nat inside source static tcp 192.168.1.25 3389 interface FastEthernet8 3389
ip nat inside source static tcp 192.168.1.36 2021 interface FastEthernet8 2021
ip nat inside source static tcp 192.168.1.36 2022 interface FastEthernet8 2022
ip nat inside source route-map TWTELECOM interface FastEthernet8 overload
ip nat inside source static tcp 192.168.1.37 443 xxxxxxxxxxxx 443 extendable
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx 5
!
ip access-list extended inbound
 permit tcp any host 192.168.1.24 eq smtp
 permit tcp any host 192.168.1.24 eq www
 permit tcp any host 192.168.1.24 eq 443
 permit tcp any host 192.168.1.243 eq 5900
 permit tcp any host 192.168.1.20 eq 3390
 permit tcp any host 192.168.1.25 eq 3389
 permit tcp any host 192.168.1.36 eq 2021
 permit tcp any host 192.168.1.36 eq 2022
 permit tcp any host 192.168.1.37 eq 443
 permit tcp any host 192.168.1.20 eq 3389
!
 --More--         !
route-map TWTELECOM permit 10
 match ip address 101
 match interface FastEthernet8
!
snmp-server community public RO
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 host xxxxxxxxxxxx
access-list 101 remark CCP_ACL Category=18
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 host xxxxxxxxxxxxxx
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit tcp host 192.168.1.24 eq 443 host xxxxxxxxxxxxxx
access-list 150 permit tcp host xxxxxxxxxxxxx host 192.168.1.24 eq 443
access-list 150 permit tcp host 192.168.1.37 eq 443 host xxxxxxxxxxxxxx
access-list 150 permit tcp host xxxxxxxxxxxxx host 192.168.1.37 eq 443
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
 --More--         mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
!
line con 0
 login local
line 1
 modem InOut
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 103 in
 privilege level 15
 --More--          login local
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end

0 Helpful

Marius Gunnerud
VIP
VIP
In response to CTS-Tech1

‎04-05-2014 06:32 AM

From which IP are you testing from?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

CTS-Tech1
Level 1
Level 1
In response to Marius Gunnerud

‎04-07-2014 07:42 AM

An internal LAN IP on the 192.168.1.x network.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to CTS-Tech1

‎04-07-2014 11:41 PM

Well, the config looks fine, so I am not sure why it is not showing as stealth.  Depending on how adventurous you want to get with this, you could try removing the config that matches the inbound ACL and see if it then shows as stealth.  But do so at your own risk...if you are not very familiar with ZBF that is.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card