Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
2
Replies

Securing ISR 4331 with CUBE

Go to solution
SMW
Level 1
Level 1

‎03-27-2021 03:46 AM

Hi,

 

I'm new with ISR 4331 + CUBE.

 

Everybody from outside has access to the webui , ssh, telnet. How can I unbind the Services from the outside interface ?

Port 80, 443, 22, 23 is open.

 

All traffic from inside should have access to outside.

CUBE  (SIP, RTSP) Traffic should have also access to outside and from outside to inside.

 

Here is my config:


! Last configuration change at 08:38:28 GMT Sat Mar 27 2021 by xxxxx
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname xx
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret -----
enable password ----
!
no aaa new-model
clock timezone GMT 1 0
!
ip name-server 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1082845364
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1082845364
revocation-check none
rsakeypair TP-self-signed-1082845364
!
!
crypto pki certificate chain TP-self-signed-1082845364
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
!
!
voice service voip
ip address trusted list
ipv4 xx.xx.xx.xx
ipv4 xx.xx.xx.xx
mode border-element license capacity 10
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
!
!
voice class uri 2 sip
host ipv4:xx.xx.xx.xx
voice class codec 1
codec preference 1 g711alaw
!
!
voice class sip-profiles 1
response ANY sip-header Contact modify "xx.xx.xx.xx" "xx.xx.xx.xx"
request ANY sip-header Contact modify "xx.xx.xx.xx" "xx.xx.xx.xx"
response ANY sdp-header Audio-Connection-Info modify "xx.xx.xx.xx" "xx.xx.xx.xx"
response ANY sdp-header Connection-Info modify "xx.xx.xx.xx" "xx.xx.xx.xx"
response ANY sdp-header Session-Owner modify "xx.xx.xx.xx" "xx.xx.xx.xx"
request ANY sdp-header Audio-Connection-Info modify "xx.xx.xx.xx" "xx.xx.xx.xx"
request ANY sdp-header Connection-Info modify "xx.xx.xx.xx" "xx.xx.xx.xx"
request ANY sdp-header Session-Owner modify "xx.xx.xx.xx" "xx.xx.xx.xx"
!
!
!
!
!
!
!
!
voice-card 0/4
no watchdog
!
license udi pid ISR4331/K9 sn xxxxxx
license accept end user agreement
license boot level uck9
license boot level securityk9
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id

et-analytics
!
!
!
!
!
!
!
username xxxxx privilege 15 password 0 xxxx
!
redundancy
mode none
!
!
!
!
!
!
!
class-map type inspect match-any Mgmt_app
match protocol telnet
match protocol ssh
class-map type inspect match-any VOICETRAFFIC_app
match protocol sip
match protocol sip-tls
match protocol rtsp
class-map type inspect match-all VOICETRAFFIC2
match access-group name VOICETRAFFIC2_acl
class-map type inspect match-all VOICETRAFFIC
match access-group name VOICETRAFFIC_acl
match class-map VOICETRAFFIC_app
class-map type inspect match-all Mgmt
match class-map Mgmt_app
match access-group name Mgmt_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect VOICETRAFFIC2
pass
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect Mgmt
drop
class type inspect VOICETRAFFIC
inspect
class class-default
drop log
!
zone security OUTSIDE
zone security INSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address xx.xx.xx.130 255.255.255.0
ip nat inside
zone-member security INSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
ip address xx.xx.xx.xx 255.255.255.0
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address xx.xx.xx.117 255.255.255.0
negotiation auto
!
ip forward-protocol nd
ip http server
ip http access-class ipv4 20
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 xx.xx.xx.1
!
!
!
ip access-list standard ACLIN
deny any
!
ip access-list extended ACLOUT
permit ip any any
ip access-list extended Mgmt_acl
permit ip any any
ip access-list extended VOICETRAFFIC2_acl
permit ip any any
ip access-list extended VOICETRAFFIC_acl
permit ip any any
access-list 20 permit xx.xx.xx.0 0.0.0.255
ip access-list extended 197
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/1
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dial-peer voice 1 voip
description incoming calls from ITSP
session protocol sipv2
session target sip-server
incoming called-number .T
voice-class codec 1
voice-class sip profiles 1
voice-class sip bind control source-interface GigabitEthernet0/0/1
voice-class sip bind media source-interface GigabitEthernet0/0/1
dtmf-relay rtp-nte sip-notify
no vad
!
dial-peer voice 2 voip
description incoming calls from CUCM
session protocol sipv2
session target sip-server
incoming uri via 2
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay rtp-nte sip-notify
no vad
!
dial-peer voice 11 voip
description Outgoing calls to CUCM
destination-pattern 000000..
session protocol sipv2
session target ipv4:xx.xx.xx.30
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay rtp-nte sip-notify
no vad
!
dial-peer voice 10 voip
description Outgoing calls to ITSP
destination-pattern .T
session protocol sipv2
session target dns:sip.provider.com
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0/1
voice-class sip bind media source-interface GigabitEthernet0/0/1
dtmf-relay rtp-nte sip-notify
no vad
!
!
sip-ua
credentials number 123456789 username 123456789 password 7 2 realm sip.provider.com
authentication username 123456789 password 7 12 realm sip.provider.com
registrar dns:sip.provider.com expires 3600
sip-server dns:sip.provider.com
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password xxxxx13
login
length 0
!
!
!
!
!
!
end

 

BR

 

Sebastian

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pieterh
VIP
VIP

‎03-30-2021 12:31 AM

what you describe is to restict "management access" 
you do this by creating an ACL (access-list that describes the desired traffic from management-stations to isr4331)
and apply this to the VTY ports and HTTP(s) access
Network Security Baseline - Infrastructure Device Access [Design Zone for Security] - Cisco

 

traffic passing through the device (internet acces etc) is not matched by the acl and is not filtered

View solution in original post

0 Helpful

Go to solution
Elliot Dierksen
VIP
VIP
In response to pieterh

‎03-30-2021 01:19 AM

You can also put the traffic facing the ITSP (or any untrusted network) in a separate VRF. You will need to explicitly bind the dial peers to that interface for both control and media traffic. You can combine that with the ACL on the vty and http ports as suggested above, and then the management ports won't be available even if they match the ACL (unless you add the optional "vrf-also" at the end).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
pieterh
VIP
VIP

‎03-30-2021 12:31 AM

what you describe is to restict "management access" 
you do this by creating an ACL (access-list that describes the desired traffic from management-stations to isr4331)
and apply this to the VTY ports and HTTP(s) access
Network Security Baseline - Infrastructure Device Access [Design Zone for Security] - Cisco

 

traffic passing through the device (internet acces etc) is not matched by the acl and is not filtered

0 Helpful

Go to solution
Elliot Dierksen
VIP
VIP
In response to pieterh

‎03-30-2021 01:19 AM

You can also put the traffic facing the ITSP (or any untrusted network) in a separate VRF. You will need to explicitly bind the dial peers to that interface for both control and media traffic. You can combine that with the ACL on the vty and http ports as suggested above, and then the management ports won't be available even if they match the ACL (unless you add the optional "vrf-also" at the end).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card