Solved: I have a config wizard for a

bytewize_ns · ‎11-29-2015

Hi,

Ive finished configuring our new 1941 and its running smoothly so far, this is a production router and i want to ensure the configuration is as complete and secure as possible.

I am planning to block ICMP on the WAN interface and require a few PAT / port forwards for internal services and wondering if i should use ZBF and any other configuration changes to secure the configuration as much as possible.

Here is my config:

-----------------------------------------------------------------------

!
! Last configuration change at 09:40:57 EDT Sun Nov 29 2015 by cisco
! NVRAM config last updated at 09:40:59 EDT Sun Nov 29 2015 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bw-rt001
!
boot-start-marker
boot system flash0:c1900-universalk9-mz.SPA.155-3.M.bin
boot-end-marker
!
!
logging buffered 51200 warnings
logging console emergencies
!
no aaa new-model
ethernet lmi ce
clock timezone UTC 10 0
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name corp.network.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script gsm "" "ATDT*99#" TIMEOUT 60 "CONNECT"
!
crypto pki trustpoint TP-self-signed-2958374922
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2958374922
revocation-check none
rsakeypair TP-self-signed-2958374922
!
!
crypto pki certificate chain TP-self-signed-2958374922
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO1941/K9 sn FGL153820ZM
!
!
username cisco privilege 15 secret 5 XXXX
!
redundancy
!
!
!
!
!
controller Cellular 0/0
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Primary WAN Interface
ip address XXX.XXX.XXX.100 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Primary LAN Interface
ip address XXX.XXX.XXX.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Cellular0/0/0
description Failover WAN Interface
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive
ppp authentication pap callin
ppp eap refuse
ppp chap refuse
ppp ms-chap refuse
ppp ms-chap-v2 refuse
ppp ipcp dns request
!
interface Cellular0/0/1
no ip address
encapsulation ppp
!
ip forward-protocol nd
!
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp XXX.XXX.XXX.12 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp XXX.XXX.XXX.45 3389 interface GigabitEthernet0/0 8090
ip nat inside source route-map 3G interface Cellular0/0/0 overload
ip nat inside source route-map SHDSL interface GigabitEthernet0/0 overload
ip route XXX.XXX.XXX.100 255.255.255.252 GigabitEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.101 10
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 20
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
threshold 1000
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
!

ip sla 2
icmp-echo 8.8.8.8 source-interface Cellular0/0/0
threshold 2000
timeout 2000
frequency 3
ip sla schedule 2 life forever start-time now

!
route-map SHDSL permit 1
match ip address 10
match interface GigabitEthernet0/0
!
route-map 3G permit 1
match ip address 10
match interface Cellular0/0/0
!
!
access-list 10 permit XXX.XXX.XXX.0 0.0.0.255
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer gsm
no exec
rxspeed 7200000
txspeed 5760000
line 0/0/1
no exec
rxspeed 7200000
txspeed 5760000
line vty 0 4
access-class 10 in
exec-timeout 1440 0
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp logging
ntp update-calendar
ntp server 0.au.pool.ntp.org
!
end

-----------------------------------------------------------------------

Any help or advice is much appreciated :)

Thanks .. A

Masoud Pourshabanian · ‎11-29-2015

Hello,

Please check the link below for cisco IOS hardening

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

*********************

Simple toturial for ZBF

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

*********************

Take look at reflexive access-list also. It is much easier than ZBF if you do not have very special need to secure your network.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html

Hope it helps,

Masoud

View solution in original post

Masoud Pourshabanian · ‎11-29-2015

Hello,

Please check the link below for cisco IOS hardening

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

*********************

Simple toturial for ZBF

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

*********************

Take look at reflexive access-list also. It is much easier than ZBF if you do not have very special need to secure your network.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html

Hope it helps,

Masoud

bytewize_ns · ‎11-29-2015

Thanks Masoud,

Ill have a good read.. Appreciated..

Philip D'Ath · ‎11-30-2015

I have a config wizard for a Cisco 897 that does most of what you want. Take a look and copy the bits of the config that do what you need.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

ROBERT TAKAC · ‎10-14-2019

Hey Philip -
Thank you for sharing this tool - IT is more thorough than I anticipated for an “out of the box” config generator.
Regards
Bob

Hardening 1941 Configuration