I m using cisco 2821,C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, as DMZ router. I want to secure my outside interface as no one can reach my router.
What policy and security i can apply to router ?
How i do it ??
What you can do is...
1. create a access-list and apply to line con so that no one can telnet or ssh to your router except the permitted IP's or network in that access-list.
2. define a extened access-list which all networks you want allow and at the end you can deny any any.
3. Disable http server.
4. Use SNMP server feature if you have SNMP enabled on your router.
Please rate the helpfull posts.
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Have an external interface input ACL that blocks all traffic to the interface's IP (except for routing or other known/approved traffic to the interface's IP). (I.e. external traffic with interface's IP as destination)
Extend the ACL to control what traffic you allow to transit the interface, inbound, or firewall rules and/or NAT.
I would suggest you can use either 1] Reflexive access-lists 2] Context Based access-lists or 3] Zone based firewall solution. (depending on complexity)
In case of zone based solution you can inspect the tcp,udp,ip,icmp traffic as required or allow the selected traffic just to pass without inspection, etc. Only return traffic is allowed that was generated Inside or on router. All the traffic originating outside will be dropped by default except if you specify.
In addition to what others have already said, you can get specific configuration snippets by using IOS Auto Secure and reviewing the NSA Router Security Guides.
I would suggest running auto secure on a non-production device, manually modifying the resulting config to suit your needs, then applying to your production router.
IOS Auto Secure
Router# auto secure full
NSA Cisco Router Guides
Cisco SAFE Network Foundation CVD
Cisco Network Security Baseline Sample Config