cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

Securing SSH access on 887VA routers

382
Views
0
Helpful
1
Comments
Beginner

Hi All,

 

I have a handful of C887VA routers which are all connected to ADSL and being VPN tunnelled back to our ASA back at HQ.

If ever the VPN tunnel fails, I need to be able to SSH to the routers public IP address as a backup way in, so I want to be able to SSH from my internal network (10.11.0.0/16) and my HQ public IP address but deny all other SSH traffic so its nice and secure.

 

I have one router which will allow me to SSH from my internal network and my HQ public IP, however this also lets SSH sessions from any other public IP address to connect also, which I don't want.

This is the config from that router which I also need to allow all traffic going to Google and BT straight out to the internet instead of being sent back to the ASA at HQ.

 

Current configuration : 7997 bytes
!
! Last configuration change at 11:40:53 gmt Fri Jan 10 2020 by administrator
!
version 15.7
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rtr-test1
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Tf3T$0YlkIobS6O5pqJ6jisTZl1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
crypto pki trustpoint TP-self-signed-10632463
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-10632463
 revocation-check none
 rsakeypair TP-self-signed-10632463
!
!
crypto pki certificate chain TP-self-signed-1063246338
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303633 32343633 3338301E 170D3139 31323139 31303535
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30363332
  34363333 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AC42 21506E9D 3915B615 8564F971 72405090 BC57FC2F 26F7A962 42DBB115
  2963CA90 E44285BC 15B2C2A7 13F85348 A3388D72 42FF30BE 4A5EE9F5 C21BD6E0
  FA613792 812378EF 06254D40 B4E6E978 188703BD 296B48FE 0535BFAD E84E3EAD
  F79F1D2F FE7EE109 A1072427 8E32564F 4748E466 F42B8D9E 07209CBF FDFF5505
  91BD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 143929A7 496DE5B6 6CD7A3CB 6FEE9657 F2278CC9 8F301D06
  03551D0E 04160414 3929A749 6DE5B66C D7A3CB6F EE9657F2 278CC98F 300D0609
  2A864886 F70D0101 05050003 81810076 71CB9686 7AFCB286 
        quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip domain name mydomain.local
ip name-server 10.11.210.3
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ2344C21G
!
!
object-group network BT-RANGES
 62.7.201.160 255.255.255.224
 62.7.201.128 255.255.255.224
 213.120.60.128 255.255.255.224
 213.120.60.192 255.255.255.224
 213.120.76.0 255.255.255.224
 213.120.76.32 255.255.255.224
 213.120.76.64 255.255.255.224
 147.152.35.96 255.255.255.248
 147.152.35.104 255.255.255.248
 213.120.60.160 255.255.255.224
 213.120.60.224 255.255.255.224
 host 193.113.10.33
 host 193.113.11.35
 host 193.113.10.34
 host 193.113.11.36
 host 193.113.10.10
 host 193.113.11.10
 host 193.113.10.27
 host 193.113.11.27
 host 193.113.10.11
 host 193.113.11.11
 host 193.113.10.7
 host 193.113.11.7
 host 193.113.10.8
 host 193.113.11.8
 host 193.113.10.12
 host 193.113.11.12
 host 193.113.10.13
 host 193.113.11.13
 host 193.113.10.32
 host 193.113.11.34
 !
object-group service BT-SERVICES
 tcp range 5060 5075
 udp range 5060 5075
 tcp eq 8933
 udp eq 8933
 udp range 32766 65535
 tcp eq 123
 udp eq ntp
 tcp eq 443
 tcp eq 5222
 tcp eq 1081
 tcp eq 5281
 tcp eq 5269
 tcp eq 8443
 tcp eq 2209
 !
object-group network GOOGLERANGES
 host 8.8.8.8
 64.18.0.0 255.255.240.0
 64.233.160.0 255.255.224.0
 173.194.0.0 255.255.0.0
 207.126.144.0 255.255.240.0
 209.85.128.0 255.255.128.0
 216.58.32.0 255.255.224.0
 216.58.192.0 255.255.224.0
 216.58.208.0 255.255.240.0
 66.102.0.0 255.255.240.0
 66.249.80.0 255.255.240.0
 72.14.192.0 255.255.192.0
 74.125.0.0 255.255.0.0
!
object-group service GOOGLESERVICES
 tcp eq www
 tcp eq 443
 tcp eq 5222
 tcp range 19305 19309
 udp range 19305 19309
 tcp range 5228 5230
 icmp
 udp eq 443
 tcp eq 993
 tcp eq 465
 tcp eq smtp
 udp eq 80
 !
object-group network MYDOMAIN-IPs
 host X.X.X.X
 host X.X.X.X
!
username administrator privilege 15 secret 5 $1$T7
redundancy
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key mykey address X.X.X.X
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
 set peer X.X.X.X
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 switchport access vlan 111
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 switchport access vlan 111
 no ip address
!
interface FastEthernet2
 switchport access vlan 111
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan111
 description branch VLAN
 ip address 10.11.111.254 255.255.255.0
 ip helper-address 10.11.202.1
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description Dialer interface for VDSL
 ip address negotiated
 ip access-group LOCKDOWN-IN in
 ip access-group LOCKDOWN-OUT out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1400
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname MYNAME@hg70.btclick.com
 ppp chap password 7 06361D71461D0A0D17
 ppp ipcp address accept
 no cdp enable
 crypto map VPN-TO-HQ
!
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list NATINSIDE interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended LOCKDOWN-IN
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit gre object-group MYDOMAIN-IPs any
 permit esp object-group MYDOMAIN-IPs any
 permit ahp object-group MYDOMAIN-IPs any
 permit ip object-group MYDOMAIN-IPs any
 permit object-group BT-SERVICES object-group BT-RANGES any
 permit ip object-group GOOGLERANGES any
ip access-list extended LOCKDOWN-OUT
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit ahp any object-group MYDOMAIN-IPs
 permit esp any object-group MYDOMAIN-IPs
 permit gre any object-group MYDOMAIN-IPs
 permit ip any object-group MYDOMAIN-IPs
 permit object-group GOOGLESERVICES any object-group GOOGLERANGES
 permit object-group BT-SERVICES any object-group BT-RANGES
ip access-list extended NATINSIDE
 permit ip 10.11.111.0 0.0.0.255 object-group GOOGLERANGES
 permit ip 10.11.111.0 0.0.0.255 object-group BT-RANGES
ip access-list extended VPN-TRAFFIC
 permit ip 10.11.111.0 0.0.0.255 any
!
ipv6 ioam timestamp
!
snmp-server community MYRO-ro RO
snmp-server location MYBRANCH
snmp-server contact MYCOMPANY
snmp-server chassis-id rtr-Test1
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
 vstack
privilege exec level 2 show startup-config
privilege exec level 2 show
!
line con 0
 exec-timeout 1440 0
 privilege level 15
 no modem enable
line aux 0
line vty 0 4
 transport input all
!
no scheduler allocate
!
!
!
!
!
!
end

So the other router I have, has no natinside rules on the VLAN and no Lockdowns on the Dialer but it allows access to SSH from my internal network, my HQ public IP and all other public IP's.

 

Current configuration : 3700 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rtr-test2
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 0 0
clock summer-time gmt recurring
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
!
!
ip cef
ip domain name MYDOMAIN.local
ip name-server 10.11.1.217
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ153290P4
!
!
object-group network MYDOMAIN-IPs
 host X.X.X.X
 host X.X.X.X
 !
username administrator privilege 15 secret 5 $1$h4yC$.cGbr4Rn68MRPD
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key mykey address X.X.X.X
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
 set peer X.X.X.X
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface Ethernet0.101
 encapsulation dot1Q 101
 shutdown
 pppoe-client dial-pool-number 1
!
interface ATM0
 description BT Infinity
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport access vlan 103
!
interface FastEthernet1
 switchport access vlan 103
!
interface FastEthernet2
 switchport access vlan 103
!
interface FastEthernet3
 description Site printer
 switchport access vlan 103
 duplex full
 speed 100
 spanning-tree portfast
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan103
 description Site data network
 ip address 10.11.103.254 255.255.255.0
 ip helper-address 10.11.202.1
 no ip proxy-arp
!
interface Dialer1
 description Dialer interface for VDSL
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 encapsulation ppp
 ip tcp adjust-mss 1300
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname MYNAME@hg70.btclick.com
 ppp chap password 7 06310A2D4F41041C5
 ppp pap sent-username MYNAME@hg70.btclick.com password 7 06310A2D4F41041C5
 ppp ipcp address accept
 no cdp enable
 crypto map VPN-TO-HQ
!
ip default-gateway 10.11.103.254
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended LOCKDOWN-IN
 permit udp any any eq bootps
 permit gre object-group MYDOMAIN-IPs any
 permit esp object-group MYDOMAIN-IPs any
 permit ahp object-group MYDOMAIN-IPs any
 permit udp any any eq bootpc
 permit ip object-group MYDOMAIN-IPs any
ip access-list extended LOCKDOWN-OUT
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit udp any object-group MYDOMAIN-IPs
 permit ahp any object-group MYDOMAIN-IPs
 permit esp any object-group MYDOMAIN-IPs
 permit gre any object-group MYDOMAIN-IPs
 permit ip any object-group MYDOMAIN-IPs
ip access-list extended VPN-TRAFFIC
 permit ip 10.11.103.0 0.0.0.255 any
!
logging esm config
!
!
!
!
snmp-server community MYRO-ro RO
snmp-server location MYSITE
snmp-server contact MYCOMPANY
snmp-server chassis-id ms-test2
!
!
control-plane
!
!
line con 0
 privilege level 15
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 1440 0
 privilege level 15
 transport input ssh
!
end

So one clearly works but it totally open to the public to connect to and the other one is too locked down.

Can anyone make any suggestions?

 

Thanks in advance!

 

 

1 Comment
Beginner

Re: not allowing the whole world to SSH

Well the first one, the one you have set up to receive SSH,  is set for local username administrator with a very short password.  If you're going to be having access via Internet that needs to change, "administrator" is one of the first a bad actor will try and a short password is breakable. 

Is there anything set up to do central user authentication such as RADIUS or TACACS+?  Because then you can set up to allow SSH authentication via that method, then bad actors need to know both the username and a password, and it's easier to remember to change that password regularly than trying to remember "which device uses the new password and which device uses the old password?"

If you know you'll be attempting to connect from a specific IP or possible range of IP you can also set an ACL to permit connection from them and block others.  (if you do that don't forget to apply that to the external interface so you don't block internal traffic).  However, if you're potentially connecting from your home, most home addresses are DHCP by your ISP and subject to change. 

 

 

Re: allow all traffic going to Google and BT to Internet not VPN via ASA

You probably want split tunnelling instead of router on a stick.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html  

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here

This widget could not be displayed.