Protecting a 1720

BernardRobbins · ‎09-13-2005

I finally got a 1720 routing packets between my lan and internet. Now I need to prevent any access to the cisco router. Any ideas on where to start?

My setup:

internet

|

isp

|

cisco 204.246.200.XX1

|

Linux Firewall/NAT 208.49.53.XX1

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-Y-M), Version 12.3(1a), RELEASE SOFTWARE (fc1)

Compiled Fri 06-Jun-03 20:01 by dchih

Router#show running-config

Building configuration...

Current configuration : 946 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

memory-size iomem 25

ip subnet-zero

no ip source-route

ip icmp rate-limit unreachable 1000

!

no ip domain lookup

!

interface FastEthernet0

ip address 204.246.200.XX1 255.255.255.252

no ip proxy-arp

speed auto

!

interface Serial0

ip unnumbered FastEthernet0

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation ppp

no fair-queue

!

ip classless

ip route 0.0.0.0 0.0.0.0 204.246.200.XXX

ip route 208.49.53.XX1 255.255.255.240 FastEthernet0

ip route 208.51.56.XX1 255.255.255.248 FastEthernet0

no ip http server

!

no cdp run

!

line con 0

line aux 0

line vty 0 4

!

no scheduler allocate

!

end

gfullage · ‎09-13-2005

Start with these:

http://www.cisco.com/warp/public/707/21.html

http://www.cisco.com/warp/public/707/newsflash.html

In addition, if you don't want anyone to be able to access the router from outside then your input ACL on the Serial interface should look something like the following:

access-list 100 deny icmp any any redirect

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 224.0.0.0 31.255.255.255 any

access-list 100 deny ip host 0.0.0.0 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny tcp any host 204.246.200.XX1 eq telnet

access-list 100 deny tcp any host 204.246.200.XX1 eq ssh

access-list 100 permit ip any any

This incorporates the ACL's from the above two URL's, plus denies any telnet/SSH attempt at your router specifically.

BernardRobbins · ‎09-14-2005

After looking at the links you provided, would this work better to block anybody trying to connect to the cisco router?

interface Serial 0

ip access-group 100 in

access-list 100 deny ip any host 204.246.200.XX1

Richard Burts · ‎09-15-2005

Bernard

I would be very cautious with that access list. Every access list ends with an implicit deny any any. So if you do not have some statements that permit some traffic you will find that nothing goes through the router interface. Also be aware that if you attempt to protect access to the router with access lists on interfaces that it can get pretty complex. To the extent that the router has multiple interfaces, you will need to specify each of these interfaces in the access list. Also if you deny ip any with your router

interfaces as destination you will also prevent any ping from working, or any traceroute from the router, or lots of other things that you may need.

I believe that you should start by carefully evaluating what your requirements really are. If you want to prevent any remote access, the simple solution is to configure this:

line vty 0 4

no exec

This will prevent ANY remote access to the router.

But that may be more severe than you really want. If you want some remote access from inside addresses and not from outside I suggest that your primary approach should be to configure access-class on the vty ports. access-class uses standard access lists to define who can access the router remotely. It is a much better approach than attempting to create access lists on interfaces. It would look somewhat like this:

line vty 0 4

access-class 10 in

access-list 10 permit

HTH

Rick

HTH

Rick