Solved: Thanks, AllertGen. I will

hank · ‎02-04-2015

Hi. Newbie to the Cisco world.

I have a spare Cisco 2811 router from which I removed/disabled all Voice and WAN devices (VIC2-2FXS, VWIC-1MFT-T1, VIC2-4FXO, PVDM2-48). I would like to now use this router in a basic network configuration with 2 VLANs (voice and data) for a regional office. An illustration of that office network is below.

Would you please review my router config and let me know if you see any problems? Besides the requirements listed, I want to make sure that the internal network is protected from the outside. Also, please let me know if there is a way to restrict RDP to y.y.y.11 only if the incoming address is from the b.b.b.0/24 public subnet (I own this entire Class C).

Thanks in advance for your assistance.

Requirements

Allow all traffic between VLAN 1 and VLAN 100 and vice versa.

Allow both VLANs to reach the Internet

Router to provide DHCP for phones (server will provide for workstations)

Need SSH on vty 0 4

Allow RDP from outside to get to server on y.y.y.11 (would prefer to restrict this to particular subnet b.b.b.0/24)

Network Illustration

My attempt at configuring the router (anything wrong here?)

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
no ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address x.x.x.t x.x.x.z
ip dhcp excluded-address x.x.x.a x.x.x.g
!
ip dhcp pool voice
   network x.x.x.0 255.255.255.0
   dns-server y.y.y.11
   default-router x.x.x.1
!
no ip domain lookup
ip domain name abc.com
ip ssh version 2
!
voice-card 0
no dspfarm
!
username Sparky secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
interface FastEthernet0/0
ip address a.a.a.7 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description Connection to Data VLAN
encapsulation dot1Q 1 native
ip address y.y.y.1 255.255.255.0
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/1.100
description Connection to voice VLAN
encapsulation dot1Q 100
ip address x.x.x.1 255.255.255.0
ip nat inside
no snmp trap link-status
!
ip classless
ip route 0.0.0.0 0.0.0.0 a.a.a.1
!
ip http server
no ip http secure-server
ip nat pool ovrld a.a.a.7 a.a.a.7 prefix-length 24
ip nat inside source list 7 interface FastEthernet0/0 overload
ip nat inside source static tcp y.y.y.11 3389 interface FastEthernet0/0 3389
!
access-list 7 permit x.x.x.0 0.0.0.255
access-list 7 permit y.y.y.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
login
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
login local
transport input telnet ssh
!
scheduler allocate 20000 1000

AllertGen · ‎02-08-2015

Hi, hank@mgtamer.com.

As shh5455 told it should work well. But from my point of view it's better to change line "ip nat inside source static tcp y.y.y.11 3389 interface FastEthernet0/0 3389" to "ip nat inside source static tcp y.y.y.11 3389 a.a.a.7 3389" (btw the mask for outside interface is 24? Really?)

And from securety side your router is no good. What can be good to do:

1. Turn off telnet (espessially if you want configure router from the internet. But first need configure SSH. Look at 11 point bellow):

line vty 0 4

transport input ssh

exit

2. Make access to vty lines only from trasted IP addresses:

access-list 2 remark ----- ACL for VTY Lines -----

access-list 2 permit [permited IP address or pool of IP addresses]

access-list 2 deny any log

line vty 0 4

access-class 2 in

exit

3. As I know 2811 has vty lines 5 - 15 too. So you need copy settings from vty 0 - 4 to 5 - 15.

4. Turn on logging information (at last for local storage. But it's better to send logged information to external device). By default it turned on but buffer size is small:

logging buffered [size_of_buffer]

no logging console

logging on

And for external device:

logging [host address]

Also add a line for logging failed authentications:

security authentication failure rate [number of failed tryes before sending a log message] log

5. Make ACL for external interface with access only for needed services (btw I prefer extended ACL for this, so example by this type of ACL):

ip access-list extended Outer_shield
remark ------ACCESS-LIST FOR OUTER INTERFACE IN --------
remark *** Permit access
permit tcp b.b.b.0 0.0.0.255 host a.a.a.7 eq 3389
! If you want configure router from the internet
permit tcp [trusted IP addresses or any] host a.a.a.7 eq 22
! If you want check your router by ICMP
permit icmp [trusted IP addresses or any] host a.a.a.7 eq [needed parameters]
remark *** Deny all other
deny ip any any [log | if you want logging all blocked connections]
exit

It's better to use CBAC to make "holes" in ACL above for the traffic that is going outside. So you can use lines:

ip inspect name IF_Outside icmp router-traffic
ip inspect name IF_Outside tcp
ip inspect name IF_Outside udp
ip inspect name IF_Outside ftp

And put this all to your outside interface:

interface FastEthernet0/0

ip access-group Outer_shield in

ip inspect IF_Outside out

exit

6. Turn off CDP at last at outside interface:

interface FastEthernet0/0

no cdp enable

exit

7. It's better to turn on aaa authentication. Right now you have made athentication via password at the lines. But you can forget to install it in the future or there can be update at the new IOS (for example at 2901 router I had a situation when with new IOS I got new line (with the name line 2) and this line by default had access by all protocols and from any interface. Only thanks to logging about fail authentications I noticed it). For turning it on use:

username [username] secret [password]

aaa new-model

aaa authentication login default local

8. Somebody can use aux interface instead of console interface for configuring router. Copy settings from con 0 to aux 0.

9. Turn off source routing:

no ip source-route

10. turn off http and https servers (or at last put ACL for it):

no ip http server
no ip http secure-server

or

ip http access-class 2
ip http authentication [aaa or local] (if you configured point 7)

11. Well, I don't see settings for ssh. So you can use it:

crypto key generate rsa general-keys label [lable] modulus [size] (btw this command don't shows at "show running-config")
ip ssh rsa keypair-name [lable]
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh version 2
ip ssh logging events

You can also tune some additional settings like bunner and so. But all what listed above is better to do.

View solution in original post

AllertGen · ‎02-09-2015

Hi, hank@mgtamer.com.

Well, from my point of view there is no more crytical securety issues at configuration (the only thing that you didn't do is line "security authentication failure rate [number of failed tryes before sending a log message] log"). Just a few notices:

1. You can delete line "ip nat pool ovrld a.a.a.7 a.a.a.7 prefix-length 24" because you don't use this pool (just for keeping your configuration at clear state).

2. At PAT better use external IP address instead of intarface name. It's because at your version PAT will be used for any traffic that is comming to your external interface. I don't know your network and how you are getting internet from your ISP. But there is can be a situation when somebody would connect to the switch at your ISP and will send a packet with destination port: tcp 3389 and any destination IP address but with MAC address of your external interface. At this case it can reach your y.y.y.11. But, well, your ACL will permit this packet only if source IP address has permit to go trough.

3. Your ACL with number 2 is permiting access only from outside. You don't want have access from inside?

4. You can also place ACLs to your internal interfaces to limit access to your router or to the phones/internet.

5. If you want you can tune your securety more by changing CBAC configuration (for example make a limit for number of connections or to check a specific traffic type, etc), placing a banner, changing activation key for console interface (default is "enter" but you can make, for example, ctrl + k or some another), turning off echo responces about unreachable networks, turn on SNMP server (or send traps instead of it) and etc. There is a lot of things that you can do to raise your securety.

View solution in original post

shh5455 · ‎02-04-2015

Looks like it would probably work, but you don't have any security on the outside interface. I would look at putting an IOS firewall there.

For the outside connection you can put an access-class on the vty to restrict inbound access.

hank · ‎02-05-2015

Thanks for the reply. As I mentioned, I'm a Cisco newbie. What do you mean by security on the outside interface? There are no ports open to the outside (other than RDP and I would like it limited to a particular public subnet). What else can be done?

AllertGen · ‎02-08-2015

Hi, hank@mgtamer.com.

As shh5455 told it should work well. But from my point of view it's better to change line "ip nat inside source static tcp y.y.y.11 3389 interface FastEthernet0/0 3389" to "ip nat inside source static tcp y.y.y.11 3389 a.a.a.7 3389" (btw the mask for outside interface is 24? Really?)

And from securety side your router is no good. What can be good to do:

1. Turn off telnet (espessially if you want configure router from the internet. But first need configure SSH. Look at 11 point bellow):

line vty 0 4

transport input ssh

exit

2. Make access to vty lines only from trasted IP addresses:

access-list 2 remark ----- ACL for VTY Lines -----

access-list 2 permit [permited IP address or pool of IP addresses]

access-list 2 deny any log

line vty 0 4

access-class 2 in

exit

3. As I know 2811 has vty lines 5 - 15 too. So you need copy settings from vty 0 - 4 to 5 - 15.

4. Turn on logging information (at last for local storage. But it's better to send logged information to external device). By default it turned on but buffer size is small:

logging buffered [size_of_buffer]

no logging console

logging on

And for external device:

logging [host address]

Also add a line for logging failed authentications:

security authentication failure rate [number of failed tryes before sending a log message] log

5. Make ACL for external interface with access only for needed services (btw I prefer extended ACL for this, so example by this type of ACL):

ip access-list extended Outer_shield
remark ------ACCESS-LIST FOR OUTER INTERFACE IN --------
remark *** Permit access
permit tcp b.b.b.0 0.0.0.255 host a.a.a.7 eq 3389
! If you want configure router from the internet
permit tcp [trusted IP addresses or any] host a.a.a.7 eq 22
! If you want check your router by ICMP
permit icmp [trusted IP addresses or any] host a.a.a.7 eq [needed parameters]
remark *** Deny all other
deny ip any any [log | if you want logging all blocked connections]
exit

It's better to use CBAC to make "holes" in ACL above for the traffic that is going outside. So you can use lines:

ip inspect name IF_Outside icmp router-traffic
ip inspect name IF_Outside tcp
ip inspect name IF_Outside udp
ip inspect name IF_Outside ftp

And put this all to your outside interface:

interface FastEthernet0/0

ip access-group Outer_shield in

ip inspect IF_Outside out

exit

6. Turn off CDP at last at outside interface:

interface FastEthernet0/0

no cdp enable

exit

7. It's better to turn on aaa authentication. Right now you have made athentication via password at the lines. But you can forget to install it in the future or there can be update at the new IOS (for example at 2901 router I had a situation when with new IOS I got new line (with the name line 2) and this line by default had access by all protocols and from any interface. Only thanks to logging about fail authentications I noticed it). For turning it on use:

username [username] secret [password]

aaa new-model

aaa authentication login default local

8. Somebody can use aux interface instead of console interface for configuring router. Copy settings from con 0 to aux 0.

9. Turn off source routing:

no ip source-route

10. turn off http and https servers (or at last put ACL for it):

no ip http server
no ip http secure-server

or

ip http access-class 2
ip http authentication [aaa or local] (if you configured point 7)

11. Well, I don't see settings for ssh. So you can use it:

crypto key generate rsa general-keys label [lable] modulus [size] (btw this command don't shows at "show running-config")
ip ssh rsa keypair-name [lable]
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh version 2
ip ssh logging events

You can also tune some additional settings like bunner and so. But all what listed above is better to do.

hank · ‎02-09-2015

Wow. Great help AllertGen. Some of the things I thought I had done, I guess I had not (like SSH). I've configured everything in your list except I am having problems with Number 5. I can't get IP INSPECT to work and now I'm not getting return traffic as the Access-List for Outer_Shield is blocking. What do I need to do to get CBAC working? If my router doesn't have that feature installed, how can I install or how do I permit return traffic without it. Below is my config now. The Permits under Outer_Shield for q.q.q.0 and r.r.r.0 are for phones whose servers are located with an ASP. Thanks again.

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CsvRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
no ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address x.x.x.t 192.x.x.x.z
ip dhcp excluded-address x.x.x.a x.x.x.g
!
ip dhcp pool voice
   network x.x.x.0 255.255.255.0
   dns-server y.y.y.11
   default-router x.x.x.1
!
!
no ip domain lookup
ip domain name abc.com
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh rsa keypair-name SSHKeys
ip ssh logging events
ip ssh version 2
!
voice-card 0
no dspfarm
!

username Sparky secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
interface FastEthernet0/0
ip address a.a.a.7 255.255.255.0
ip access-group Outer_Shield in
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description Connection to Data VLAN
encapsulation dot1Q 1 native
ip address y.y.y.1 255.255.255.0
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/1.100
description Connection to voice VLAN
encapsulation dot1Q 100
ip address x.x.x.1 255.255.255.0
ip nat inside
no snmp trap link-status
!
ip classless
ip route 0.0.0.0 0.0.0.0 a.a.a.1
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld a.a.a.7 a.a.a.7 prefix-length 24
ip nat inside source list 7 interface FastEthernet0/0 overload
ip nat inside source static tcp y.y.y.1 3389 interface FastEthernet0/0 3389
!
ip access-list extended Outer_Shield
permit ip q.q.q.0 0.0.0.63 host a.a.a.7
permit ip r.r.r.0 0.0.0.31 host a.a.a.7
permit ip b.b.b.0 0.0.0.255 host a.a.a.7
remark *** Deny All Other
deny ip any any log
!
access-list 2 remark ----- ACL for VTY Lines -----
access-list 2 permit b.b.b.0 0.0.0.255
access-list 2 deny any log
access-list 7 permit x.x.x.0 0.0.0.255
access-list 7 permit y.y.y.0 0.0.0.255
access-list 10 permit b.b.b.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
line aux 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
line vty 0 4
access-class 2 in
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
transport input ssh
line vty 5 15
access-class 2 in
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
transport input ssh
!
scheduler allocate 20000 1000
!
end

hank · ‎02-09-2015

My current IOS version is 2800nm-spservicesk9-mz.124-3f.bin. What do I need for CBAC?

AllertGen · ‎02-11-2015

Hi, hank@mgtamer.com.

You need IOS with securety feature (at IOS 12.X versions) or with activated securetyk9 licence (at IOS 15.X versions).

Best Regards.

hank · ‎02-09-2015

Never mind about CBAC. I changed the IOS version to advsecurityk9 and all is well. My new config is below. Any problems still remaining? Thanks for the help.

boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-5.bin
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
no ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name IF_Outside icmp router-traffic
ip inspect name IF_Outside tcp
ip inspect name IF_Outside udp
ip inspect name IF_Outside ftp
no ip dhcp use vrf connected
ip dhcp excluded-address x.x.x.201 x.x.x.254
ip dhcp excluded-address x.x.x.1 x.x.x.50
!
ip dhcp pool voice
   network x.x.x.0 255.255.255.0
   dns-server y.y.y.11
   default-router x.x.x.1
!
!
no ip domain lookup
ip domain name mgtamer.com
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh rsa keypair-name SSHKeys
ip ssh logging events
ip ssh version 2
!
!
!
!
username Sparky secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
interface FastEthernet0/0
ip address a.a.a.7 255.255.255.0
ip access-group Outer_Shield in
ip inspect IF_Outside out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description Connection to Data VLAN
encapsulation dot1Q 1 native
ip address y.y.y.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/1.100
description Connection to voice VLAN
encapsulation dot1Q 100
ip address x.x.x.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
ip route 0.0.0.0 0.0.0.0 a.a.a.1
!
no ip http server
no ip http secure-server
ip nat pool ovrld a.a.a.7 a.a.a.7 prefix-length 24
ip nat inside source list 7 interface FastEthernet0/0 overload
ip nat inside source static tcp y.y.y.11 3389 interface FastEthernet0/0 3389
!
ip access-list extended Outer_Shield
permit ip q.q.q.0 0.0.0.63 host a.a.a.7
permit ip r.r.r.0 0.0.0.31 host a.a.a.7
permit ip b.b.b.0 0.0.0.255 host a.a.a.7
remark *** Deny All Other
deny   ip any any log
!
access-list 2 remark ----- ACL for VTY Lines -----
access-list 2 permit b.b.b.0 0.0.0.255
access-list 2 deny   any log
access-list 7 permit x.x.x.0 0.0.0.255
access-list 7 permit y.y.y.0 0.0.0.255
access-list 10 permit b.b.b.0 0.0.0.255
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
line aux 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
line vty 0 4
access-class 2 in
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
transport input ssh
line vty 5 15
access-class 2 in
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
transport input ssh
!
scheduler allocate 20000 1000
!
end

AllertGen · ‎02-09-2015

Hi, hank@mgtamer.com.

Well, from my point of view there is no more crytical securety issues at configuration (the only thing that you didn't do is line "security authentication failure rate [number of failed tryes before sending a log message] log"). Just a few notices:

1. You can delete line "ip nat pool ovrld a.a.a.7 a.a.a.7 prefix-length 24" because you don't use this pool (just for keeping your configuration at clear state).

2. At PAT better use external IP address instead of intarface name. It's because at your version PAT will be used for any traffic that is comming to your external interface. I don't know your network and how you are getting internet from your ISP. But there is can be a situation when somebody would connect to the switch at your ISP and will send a packet with destination port: tcp 3389 and any destination IP address but with MAC address of your external interface. At this case it can reach your y.y.y.11. But, well, your ACL will permit this packet only if source IP address has permit to go trough.

3. Your ACL with number 2 is permiting access only from outside. You don't want have access from inside?

4. You can also place ACLs to your internal interfaces to limit access to your router or to the phones/internet.

5. If you want you can tune your securety more by changing CBAC configuration (for example make a limit for number of connections or to check a specific traffic type, etc), placing a banner, changing activation key for console interface (default is "enter" but you can make, for example, ctrl + k or some another), turning off echo responces about unreachable networks, turn on SNMP server (or send traps instead of it) and etc. There is a lot of things that you can do to raise your securety.

hank · ‎02-10-2015

Thanks, AllertGen. I will research the other features of which you speak. Just know you've already saved my butt. I've marked your answer as correct. All the best.

2811 - Please review my work