08-09-2021 02:45 AM - edited 09-04-2021 01:47 PM
Im' trying to hide my router from the internet by having all unwanted requests producing a timeout to the intruder.
I have added access lists to block incoming connection requests.
e.g: "deny tcp any any eq telnet log"
I have also added to all my vty " transport input none"
This is working.
my problem is when someone tries to connect from outside (internet) the router denies the request with the result of them seeing a "Connection refused" message at their end
What I want is nothing to be sent just a timeout should result to any of these packet requests , It that possible ?
Manuel.
08-09-2021 03:04 AM - edited 08-09-2021 03:06 AM
I would suggest to move to Telnet to SSH, Telnet is not secure.
I would advise why not use source interface. so other interface not part of it ? (is this workable ?) or you still need outside access ?
(config)#ip ssh source-interface ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
GMPLS MPLS interface
GigabitEthernet GigabitEthernet IEEE 802.3z
LISP Locator/ID Separation Protocol Virtual Interface
Lex Lex interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Dot11Radio Virtual dot11 interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
vmi Virtual Multipoint Interface
08-09-2021 03:34 AM
Hi.
Yes this a home office.
I don't need to access the router from outside or inside with telnet or SSH.
I would like to hide the router.
when I try and telnet into this router I get a "connection refused", just to be clear I don't need telnet or SSH access into this router from anywhere I'm just trying to explain the result of the telnet attempt.
My ISP suppled router resulted in a time out when trying to Telnet or SSH into that router.
and I want my cisco router to do the same.
08-09-2021 03:53 AM
I don't need to access the router from outside or inside with telnet or SSH.
If you remove SSH, how will you manage the device ? Console ?
post show run to look what you got it.
08-09-2021 04:05 AM
Hello,
which router model do you have ? I don't think the 'Connection Refused' response is generated on the router, but rather on the client.
There is a global command 'ip telnet quiet', you might want to check if that is available in your IOS version, and what that results in...
08-09-2021 05:36 AM - edited 08-09-2021 05:37 AM
I think the client saying 'connection refused' is generated by an ICMP unreachable from the target device. I think the command that would do what the OP is describing is the interface level command here.
no ip unreachables
Connection refused is the result of an explicit response from the target device. If it just fails, that would generate a 'connection timeout' type response.
08-10-2021 03:50 AM - edited 08-10-2021 03:56 AM
I was using a friends laptop for testing it looks that this message "connection refused" was his client. as indicated above
I have loaded putty now and we get "connection times out" for telnet connections
I have a cisco 1941 running ISO 158-3.M3.
we only be configuring via the Console port on this router.
Im still having issues with ftp and SSH Replies messages.
ftp gives "connection closed by remote host" (ftp from the command prompt).
ssh gives "remote side unexpectedly closed network connection" (from putty).
Is there a way I can stop these messages?
Here is my run config of interest
aaa new-model
ip inspect WAAS flush-timeout 10
ip cef
login on-failure log
login on-success log
no ipv6 cef
interface Dialer1
mtu 1492
ip address negotiated
ip access-group No-PING in
ip access-group 198 out
no ip unreachables
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
!
ip access-list extended No-PING
permit icmp any any echo-reply
deny icmp any any
deny tcp any any eq telnet log
deny tcp any any eq www log
permit ip any any
ip access-list extended TRACERT
permit icmp any any traceroute
access-list 198 permit ip any any
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer hspa-R7
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line 0/0/1
no exec
line vty 0 4
transport input none
line vty 5 15
transport input none
!
08-10-2021 08:42 AM - edited 08-10-2021 09:01 AM
I don't see exactly where it is failing, but you can tell if it is an ACL if you add the keyword "log" at the end of any "deny" statements. Unless you have a "permit any any" at the end of an ACL, you should use an explicit deny all at the end with the "log" keyword instead of accepting the implicit deny all the end.
09-04-2021 02:11 PM - edited 09-04-2021 02:12 PM
I have followed up with more testing of my issues and this is what i found.
using the command
no ip unreachables
It provides a time out as needed.
however this is limited to entries in my Access-list.
ip access-list extended No-PING
permit icmp any any echo-reply log
deny icmp any any log
deny tcp any any eq telnet log
deny tcp any any eq 21 log
deny tcp any any eq www log
permit ip any any
eg If i telnet on ports 20,21,22 I get the "Connection Time Out" message
when i telnet on port 45734 (as an example) i get "connection refused/denied" and no log message is produced.
@Elliot Dierksen I tried using an explicit deny all at the end of my access list before the "permit ip any any".
I added deny tcp any any log But this failed as i lost connectivity.
My issues at present are
1) What should that explicit deny look like, (to show other telnet ports)?
2) Where are those telnet requests be getting refused if not in my Access-list?
M.
09-04-2021 03:50 PM
Hello,
which IOS version are you running ? Check if your IOS supports the Zone Based Firewall:
1941#conf t
1941(config)#zone ?
Is that command available ? If so, post the full running config of your router, so we can fill in the bits and pieces...
09-10-2021 03:02 AM
Yes I have the Zone command Ver15.8
09-07-2021 05:22 PM
That is part of the mixed bag that is "no ip unreachable". A connection to router where no service is listening would generate a "port unreachable" ICMP message, but the "no ip unreachable" turns that off.
09-10-2021 03:15 AM - edited 09-10-2021 03:17 AM
Hello.
Below is my config I am using the "no ip unreachables" In my set up, is it in the correct location ?
I have "ip telnet quiet" added as suggested but not sure its doing anything in my setup.
!
version 15.8
!
!
boot-start-marker
boot system flash0:c1900-universalk9-mz.SPA.158-3.M3.bin
boot-end-marker
!
!
!
aaa new-model
aaa local authentication attempts max-fail 8
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.10.1 192.168.10.100
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool WLAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.1.1
!
!
ip inspect WAAS flush-timeout 10
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script hspa-R7 "" "AT!SCACT=1,2" TIMEOUT 60 "OK"
!
!
!
crypto pki certificate chain TP-self-signed-8887778887
certificate self-signed 01
quit
license udi pid CISCO1941/K9 sn FGL
!
!
redundancy
notification-timer 120000
!
!
!
controller Cellular 0/0
gsm modem crash-action boot-and-hold
!
track 1 ip sla 1 reachability
!
ip telnet quiet
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WLAN uplink port
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description WAN Uplink
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
no ip address
!
interface Cellular0/0/0
description 3G Link to Vodafone-AP
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string hspa-R7
dialer-group 2
async mode interactive
!
interface Cellular0/0/1
no ip address
encapsulation slip
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
description WAN
no ip address
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1452
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1 REM this is the main interface for data
mtu 1492
ip address negotiated
ip access-group No-PING in
ip access-group 198 out
no ip unreachables
ip nat outside
ip virtual-reassembly in max-fragments 16 max-reassemblies 64 timeout 5
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname secret.user@one.com
ppp chap password 0 cisco123
ppp pap sent-username secret.user@one.com 0 cisco123
ppp ipcp dns request
ppp ipcp route default
!
ip local policy route-map track-primary-if
ip forward-protocol nd
!
ip dns server queue limit forwarder 8
ip dns server
ip nat inside source route-map nat2backup interface Cellular0/0/0 overload
ip nat inside source route-map nat2primary interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253
!
ip access-list extended No-PING
permit icmp any any echo-reply
deny icmp any any
deny tcp any any eq telnet log
deny tcp any any eq www log
deny tcp any any eq ftp log
deny tcp any any eq 22 log
deny tcp any any eq login log
permit ip any any
ip access-list extended TRACERT
permit icmp any any traceroute
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
ip sla schedule 1 life forever start-time now
logging host 192.168.1.254
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map track-primary-if permit 1
match ip address 197
set interface Dialer1
!
route-map nat2primary permit 1
match ip address 198
match interface Dialer1
!
route-map nat2backup permit 1
match ip address 198
match interface Cellular0/0/0
!
!
access-list 197 permit icmp any host 8.8.8.8
access-list 198 permit ip any any
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer hspa-R7
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line 0/0/1
no exec
line vty 0 4
transport input none
line vty 5 15
transport input none
!
scheduler allocate 20000 1000
ntp server 0.au.pool.ntp.org
ntp server 2.au.pool.ntp.org
ntp server 1.au.pool.ntp.org
ntp server 3.au.pool.ntp.org
!
09-10-2021 08:03 AM
Connection timeouts when you have ip unreachables enabled on the relevant interface is expected behavior. I haven't used "ip telnet quiet" before, so I can't speak to that. If Dialer0 is your WAN interface then I would say you have it in the right place. Even though Cellular0 is the physical interface associated with this, I think the only interface that will have an IP is Dialer0. I mention that because of the "ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253" command. I doubt that is hurting anything, but I don't think it would do anything either.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide