07-16-2010 08:50 AM - edited 03-04-2019 09:05 AM
This is going to be our new Internet router. I expect port 22 to be open for SSH. But, I've got everything obvious turned off. Here is the test config (I dont' have the IP addrs from our new ISP yet):
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname clrinetrtr1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name contres.com
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-518123724
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-518123724
revocation-check none
rsakeypair TP-self-signed-518123724
!
!
crypto pki certificate chain TP-self-signed-518123724
certificate self-signed 01
(You don't need this)
quit
license udi pid CISCO2951/K9 sn (not relevant)
!
!
username root privilege 15 secret 5 NewtGingrichIsSatan
!
!
ip tcp synwait-time 10
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex full
speed 100
no mop enabled
!
interface GigabitEthernet0/1
description $ES_LAN$
ip address 10.20.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
ip address 192.168.1.241 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
no ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
!
no cdp run
!
!
control-plane
!
banner login ^C
Continental Resources, Inc.
All activity is logged.
^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 15
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
scheduler interval 500
end
Any clues? I'm going to ACL the outside interface anyway and only allow SSH from my personal NAT from the inside. But, why are SMTP and POP open on a fairly vanilla IOS?
07-17-2010 07:47 AM
I don't see an ACL on the any of the GE interfaces. Everything will be allow to go through the router.
For management, you are only allowing SSH to the VTY (management) of the router.
Regards,
jerry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide