2800 series VPN and PCI compliance.

synthphase · ‎08-22-2012

I'm trying to turn off SSH version 1 & 2 to pass PCI compliance. Problem is, I cannot touch the VPN link between the two offices. I'm afraid the PKI certificate used for the VPN will be deleted if i zeroize the RSA key which seems to be the only way to stop the router responding on port 22.

Here is the stuff from the running config related to the crypto map:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp xauth timeout 15

crypto pki trustpoint TP-self-signed-4087584599

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4087584599

revocation-check none

rsakeypair TP-self-signed-4087584599

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SDM_DYNMAP_1 1

set security-association idle-time 28800

set transform-set ESP-3DES-SHA

reverse-route

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

--------------------------------------

I'm only CCNA so I'm not even sure if the certificate or RSA key is being used for the VPN link, but I can't tell from the running config that zeroizing it would be a good idea and not break the VPN.

I'm open to other ways of disabling SSH, as we are able to just connect using a console cable. But it looks like denying port 22 with an access-list doesn't even stop the router from responding to the port...

Thanks,

-Eric

Benjamin Kools · ‎08-22-2012

Easiest way to block SSH, telnet, and all remote access to the router is the following:

line vty 0 4 (or 0 15, look at your config and see how many vty lines are configured)

transport input none

johnlloyd_13 · ‎08-22-2012

hi eric,

to my knowledge, 'zeroising' the RSA key will not break your VPN connection. the RSA key helps enable SSH and is for remote admin purpose.

but just to make sure, could you post your 'show crypto key mypubkey rsa' output?

Richard Burts · ‎08-22-2012

Eric

When you say that you want to eliminate SSH on the router does that mean that you want to have no remote access to the router? The suggestion of transport input none will result in no remote access. If that is what you want then it is a good suggestion. If you want some remote access, then what kind of remote access do you want to allow? When we know that we can give you better advice about what to do.

HTH

Rick

HTH

Rick

synthphase · ‎08-23-2012

% Key pair was generated at: 22:51:11 UTC Jul 13 2010

Key name: TP-self-signed-4087584599

Usage: General Purpose Key

Key is not exportable.

Key Data:

XXXXX

% Key pair was generated at: 17:32:34 UTC Aug 23 2012

Key name: TP-self-signed-4087584599.server

Usage: Encryption Key

Key is not exportable.

Key Data:

XXXXXXX

Here is the output of the command "show crypto key mypubkey rsa".

I already have transport set to none, the port is still open however, even though trying to connect will give you a timeout.

We use teamviewer to remote into server, then use COM1 to get to the router, which is not ideal if you accadentally bring it down the internet, but I'm very wary about doing anything that might do that, or touch the VPN connection. Hence the reservation about zeroizing the RSA key and deleting those Certs.

output of "crypto key zeroize rsa":

% All RSA keys will be removed.

% All router certs issued using these keys will also be removed.

synthphase · ‎08-23-2012

Ok I fixed it by limiting the vty to an ip access-list. So now the port is closed and we should pass.

I'd still like to know if zeroizing the key would blow up the VPN though... Just out of curiosity.

johnlloyd_13 · ‎08-23-2012

eric,

thanks for the show output and informing that you've turned off SSH successfully.

it is safe to say you can 'zeroize' your RSA keys. i will, however, correct myself on my initial comment on RSA keys with regards to VPN.

we could generate an RSA special-usage key which is used for IKE policies that have RSA authentication method:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_key.html#wp1040590

please rate useful posts and mark the thread as resolved. thanks!