10-12-2006 12:56 PM - edited 03-09-2019 04:30 PM
Hello All,
besides putting up a NAT and freating Access-List are there other ways to improve security using the 871 router? What are some other options I have? What does the inspect command do? Thanks.
10-18-2006 04:39 PM
This command enables the stateful packet inspection in the Cisco IOS .This command has to be enabled in the policy map configuration mode
10-23-2006 08:05 AM
And what do you mean by stateful? and how does one get into policy map config mode?
10-24-2006 06:02 PM
There are tons of things you can do to secure a Cisco router. You can protect it from DDOS attacks with management plane and control plane protection. You can use the ip Inspect command (also known as CBAC - content based access control)to create dynamic firewall entries (i.e. by default, you allow everything outbound, but -nothing- inbound expect traffic that is returning to sessions that were intiated by internal devices.) You can enable Intrusion Detection / Prevention (IPS) and enable high-risk signatures.
Your best bet is to use the SDM (security and device manager) to start, even if you're a CLI guy, because the SDM GUI helps you get familiar with the different functional areas.
Next, I'd get a copy of Richard Deal's CiscoPress book "Router Firewall Security". I've been doing router security for a while now and I still refer to it.
If you want, post a copy of your config (w/ passwords edited out) and I'd be happy to suggest some improvements.
10-25-2006 07:11 AM
Current configuration : 3146 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Jtizzle
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username privilege 15 secret 5
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 24.x.x.114
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address 24.235.x.x.255.255.248
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.235.110.161
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat pool mtm1 24.235.110.163 24.235.110.165 netmask 255.255.255.248
ip nat inside source list 10 pool mtm1 overload
ip nat inside source static tcp 10.10.10.2 21 24.235.110.162 21 extendable
ip nat inside source static tcp 10.10.10.2 80 24.235.110.162 80 extendable
ip nat inside source static tcp 10.10.10.2 110 24.235.110.162 110 extendable
ip nat inside source static tcp 10.10.10.2 3389 24.235.110.162 3389 extendable
ip nat inside source static tcp 10.10.10.2 52134 24.235.110.162 52134 extendable
!
access-list 10 permit 10.10.10.0 0.0.0.7
access-list 101 permit tcp any host 24.235.110.162 eq telnet
access-list 101 permit tcp any host 24.235.110.162 eq 3389
access-list 101 permit tcp any host 24.235.110.162 eq www
access-list 101 permit tcp any host 24.235.110.162 eq ftp
access-list 101 permit tcp any host 24.235.110.162 eq 52134
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username
no username cisco
Replace
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password xxx
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
As you might be aware I am just getting the feel for the CLI and would prefer using that just because of the issues I have had with SDM in the past. There is also another crutial command that I am missing\ or need to omit to get user internall to access the Internet. If you could provide me with that as well it would be greatly appreciated. I'll check out that book you mentioned. Thanks.
10-26-2006 09:55 AM
Here's what you need to do to get running. Send me an email at clausonna@gmail.com RIGHT AWAY because you have another issue that needs attention.
!-- create the CBAC rules. You can call 'cbac-fw' anything you want
ip inspect cbac-fw icmp
ip inspect cbac-fw ftp
ip inspect cbac-fw http
ip inspect cbac-fw dns
ip inspect cbac-fw tcp
ip inspect cbac-fw udp
int f4
!-- apply the ip inspect rules. This is what's causing you problems right now.
ip inspect cbac-fw out
exit
! create a dhcp pool for the users, assuming you don't have one already
ip dhcp pool dchp-pool
network 10.10.10.0 255.255.255.248
dns-server
default-router 10.10.10.1
domain-name yourdomain.com
exit
10-24-2006 06:35 PM
Below is a link on Improving Security on Cisco Routers
http://www.cisco.com/warp/customer/707/21.html
Let me know if it helps.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide