06-01-2011 09:24 AM - edited 03-11-2019 01:41 PM
Hi
Am new to cisco but able to learn new things very fast,pls help on conf router as a firewall,below is my conf of router and switch and all vlans are able to browse,i want my router to be secured pls
//cisco router 1921
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$mhnT$R2weEBZ4l3mQI7W5Q80xr1
!
no aaa new-model
!
!
!
clock timezone EST 3
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip name-server 196.46.k.t
ip name-server 196.46.d.t
!
multilink bundle-name authenticated
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description connection to LAN
ip address 10.10.10.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
ntp disable
!
!
interface GigabitEthernet0/1
description connection to INTERNET
ip address 196.43.x.p 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ntp disable
!
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip flow-export source GigabitEthernet0/1
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 196.43.x.y
ip route 192.168.3.0 255.255.255.0 10.10.10.2
ip route 192.168.5.0 255.255.255.0 10.10.10.2
!
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.3 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
!
!
no cdp run
!
!
!
!
!
control-plane
!
!
banner motd ^CThis is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or
^C
!
line con 0
line aux 0
line vty 0 4
password 7 09594C000B0C101B1105426063
login
line vty 5 15
password 7 09594C000B0C101B1105426063
login local
!
scheduler allocate 20000 1000
end
//switch switch 3560G conf
version 12.0
Switch-A> en
Switch-A#hostname Switch-A
Switch-A# conf t
Switch-A(config)#banner motd $This is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be subject to one or more of the following actions: interception, monitoring, recording, auditing, inspection and disclosing to security personnel and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By accessing this system you indicate your awareness of and consent to these terms and conditions of use. Discontinue access immediately if you do not agree to the conditions stated in this notice.
$
Switch-A(config)# ip routing
Switch-A(config)# enable secret $$$$$$$
Switch-A(config)#service password-encription
Switch-A(config)#no service tcp-small-servers
Switch-A(config)#no service udp-small-servers
Switch-A(config)#no ip bootp server
Switch-A(config)#no ip finger
Switch-A(config)#no service finger
Switch-A(config)#no service config
Switch-A(config)#no boot host
Switch-A(config)#no boot network
Switch-A(config)#no boot system
Switch-A(config)#no service pad
Switch-A(config)#ip name-server 196.46.k.t
Switch-A(config)#ip name-server 196.46.d.t
Switch-A(config)#no ip domain-lookup
Switch-A(config)#no ip http server
Switch-A(config)#no snmp-server community
Switch-A(config)#no snmp-server enable traps
Switch-A(config)#no snmp-server system-shutdown
Switch-A(config)#no snmp-server
Switch-A(config)#no cdp run
Switch-A(vlan)# vlan 4
Switch-A(vlan)# vlan 6
Switch-A# conf t
Switch-A(config)#no cdp run
Switch-A(config)# interface vlan1
Switch-A(config)# description *** DEFAULT VLAN - Do NOT Use! ***
Switch-A(config-if)# no ip address
Switch-A(config-if)# shutdown
Switch-A(config)# interface vlan4
Switch-A(config-if)#description server's farm
Switch-A(config-if)# ip address 192.168.3.1 255.255.255.0
Switch-A(config-if)#ip access group vlan4
Switch-A(config-if)# no shutdown
Switch-A(config)# interface vlan6
Switch-A(config-if)#description SECURITY
Switch-A(config-if)# ip address 192.168.5.1 255.255.255.0
Switch-A(config-if)#ip access group vlan6
Switch-A(config-if)# no shutdown
Switch-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.1
Switch-A(config)# interface G0/1
Switch-A(config)#description connection to router
Switch-A(config-if)# no switchport
Switch-A(config-if)# 10.10.10.2 255.255.255.252
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit
Switch-A(config)# interface range G0/6-8
Switch-A(config)#description security
Switch-A(config-if)# switchport mode access
Switch-A(config-if)# switchport access vlan 6
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit
Switch-A(config)# interface range G0/10-24
Switch-A(config)#description SERVER'S FARM
Switch-A(config-if)# switchport mode access
Switch-A(config-if)# switchport access vlan 4
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit
Switch-A(config)#wr
thx
joe
Solved! Go to Solution.
06-01-2011 08:33 PM
Hi,
There is no really a method to say that the router is secure, first, we need to know which traffic is going to be allowed in/out meaning, if you are going to have incoming traffic to this router or if it is just going to be for internet access, etc.
Basic firewall would be like this:
ip inspect name fw tcp
ip inspect name fw udp
Ip inspect name fw icmp
Access-list 170 deny IP any any
interface GigabitEthernet0/1
ip inspect fw out
ip access-group 170 in
That would deny any traffic to go inside your network while having packet inspection at layer 4, if you want to be more granular, you can use the specific protocol you want to inspect at the application layer, such as smtp, that way, you should add a protocol to the inspection rule already define:
ip inspect name fw smtp
Hope this helps
Document for reference:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
Mike
06-01-2011 08:33 PM
Hi,
There is no really a method to say that the router is secure, first, we need to know which traffic is going to be allowed in/out meaning, if you are going to have incoming traffic to this router or if it is just going to be for internet access, etc.
Basic firewall would be like this:
ip inspect name fw tcp
ip inspect name fw udp
Ip inspect name fw icmp
Access-list 170 deny IP any any
interface GigabitEthernet0/1
ip inspect fw out
ip access-group 170 in
That would deny any traffic to go inside your network while having packet inspection at layer 4, if you want to be more granular, you can use the specific protocol you want to inspect at the application layer, such as smtp, that way, you should add a protocol to the inspection rule already define:
ip inspect name fw smtp
Hope this helps
Document for reference:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
Mike
06-02-2011 01:34 AM
thanks very much Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide