Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
5
Replies

Need help making a 1720 more secure??

Go to solution
emance
Level 1
Level 1

‎02-03-2004 03:20 PM - edited ‎03-09-2019 06:19 AM

Hi,

I am doing some work for a client that has a 1720. IOS 12.1

I just noticed that I can telnet in from home. How can I make this more secure? How can I tell if this unit has the VPN package? How do I view the firewall settings?

Thanks for your help,

Eric

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghent
Level 1
Level 1
In response to emance

‎02-05-2004 01:36 AM

Hi,

Your image is C1700-O3Y-M. This means you have the IP/FW feature set. This feature set does include the IOS firewall but not VPN.

Regards,

Sigurbjartur

View solution in original post

0 Helpful
5 Replies 5

Go to solution
bfl1
Level 1
Level 1

‎02-03-2004 07:20 PM

Eric... here are 2 good links to router security. The one on the NSA's home page also has other security features. The router files are about 1/2 way down the page.

http://psyber.letifer.org/downloads/priv/cis-2.pdf

http://www.nsa.gov/snac/index.html

0 Helpful

Go to solution
ghent
Level 1
Level 1

‎02-04-2004 05:59 AM

Hi,

To control who can telnet into the box, you need to create an ACL which defines which source IP can telnet into the box and then you need to associate the ACL with the vtys.

!

! ACL to control telnet access

! Only permit telnet access from the 192.168.2.0/24 network

!

access-list 23 permit 192.168.2.0 0.0.0.255

!

line vty 0 4

! ACL associated with the vtys

access-class 23 in

And now only those specified by ACL 23 can telnet into the box. Instead of the Network/Wildcard you can use 'access-list 23 permit host 192.168.2.20' to allow a single host.

VPN?

The 'show version' command should yield a line that's something like :

"IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.3(1), RELEASE SOFTWARE (fc3)"

The C1700-K9O3SY7-M tells you which features are included in the software. If you see the letters 'k2' the software has VPN with 3DES encryption and if you see '56i' it has VPN with 56bit DES encryption.

If your software contains the IOS firewall feature (CBAC) you can view it's configuration using the following command:

sh ip inspect [ all | config | interfaces | name | sessions [detail]]

Regards,

Sigurbjartur

0 Helpful

Go to solution
emance
Level 1
Level 1
In response to ghent

‎02-04-2004 06:24 AM

Here is my version info:

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-O3Y-M), Version 12.1(5)T10, RELEASE SOFTWARE (fc

2)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Wed 08-Aug-01 02:34 by ccai

Image text-base: 0x800080E0, data-base: 0x806F02F4

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

Duct&Vent uptime is 41 weeks, 2 days, 15 hours, 31 minutes

System returned to ROM by power-on

System image file is "flash:c1700-o3y-mz.121-5.T10.bin"

cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory

.

Processor board ID JAD053308VL (1149039308), with hardware revision 0000

M860 processor: part number 0, mask 32

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial(sync/async) network interface(s)

32K bytes of non-volatile configuration memory.

Thanks for your help

Eric

0 Helpful

Go to solution
ghent
Level 1
Level 1
In response to emance

‎02-05-2004 01:36 AM

Hi,

Your image is C1700-O3Y-M. This means you have the IP/FW feature set. This feature set does include the IOS firewall but not VPN.

Regards,

Sigurbjartur

0 Helpful

Go to solution
emance
Level 1
Level 1
In response to ghent

‎02-05-2004 05:50 AM

Thank you for your reply.

This helps me alot,

Eric

0 Helpful
Customers Also Viewed These Support Documents