Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Router security

Dear All

I m using cisco 2821,C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, as DMZ router. I want to secure my outside interface as no one can reach my router.

What policy and security i can apply to router ?

How i do it ??

Thanking You


Latchum Naidu

Hi shahid,

What you can do is...

1. create a access-list and apply to line con so that no one can telnet or ssh to your router except the permitted IP's or network in that access-list.
2. define a extened access-list which all networks you want allow and at the end you can deny any any.
3. Disable http server.
4. Use SNMP server feature if you have SNMP enabled on your router.

Please rate the helpfull posts.

Joseph W. Doherty
Hall of Fame Expert


The    Author of this posting offers the information  contained within this    posting without consideration and with the  reader's understanding  that   there's no implied or expressed suitability  or fitness for any   purpose.  Information provided is for informational  purposes only and   should not  be construed as rendering professional  advice of any kind.   Usage of  this posting's information is solely at  reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever    (including,  without limitation, damages for loss of use, data or    profit) arising  out of the use or inability to use the posting's    information even if  Author has been advised of the possibility of  such   damage.


Have an external interface input ACL that blocks all traffic to the interface's IP (except for routing or other known/approved traffic to the interface's IP).  (I.e. external traffic with interface's IP as destination)

Extend the ACL to control what traffic you allow to transit the interface, inbound, or firewall rules and/or NAT.

Nandan Mathure


I would suggest you can use either 1] Reflexive access-lists 2] Context Based access-lists or 3] Zone based firewall solution. (depending on complexity)

In case of zone based solution you can inspect the tcp,udp,ip,icmp traffic as required or allow the selected traffic just to pass without inspection, etc. Only return traffic is allowed that was generated Inside or on router. All the traffic originating outside will be dropped by default except if you specify.


In addition to what others have already said, you can get specific configuration snippets by using IOS Auto Secure and reviewing the NSA Router Security Guides.

I would suggest running auto secure on a non-production device, manually modifying the resulting config to suit your needs, then applying to your production router.

IOS Auto Secure

Router# auto secure full

NSA Cisco Router Guides

Cisco SAFE Network Foundation CVD

Cisco Network Security Baseline Sample Config