Does this router config look secure enough?

Unanswered Question
Feb 14th, 2008

Hi, I have this config that is used for our Cisco routers at remote sites. They connect to a Cisco Concentrator. We use 877's, 878's and 1841's and use this attached config (apart from some changes to the internfaces). Any tweaks would be most welcome.

Many thanks

I was just wondering if the config looks ok or coulf be done better. I know nothing is 100% secure, but just want a second opinion. Any IP's that appear as x.x.156.64 or x.x.156.100 are our external public facing IP's of our HQ.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Wilson Samuel Thu, 02/14/2008 - 06:56

Hi Whiteford,

A few lines from me:

1. You may want to enabled "Service Password Encryption"

2. Enabled AES rather than 3DES (I'm not sure whether this router / IOS supports it or not)

3. Are you sure you need IP NBAR? If yes then I would request you to check with your Carrier if they support QoS over Internet otherwise its just an overhead.

4. Finally an easy way to secure router would be to run AutoSecure, very much like Auto Qos.

Hope that helps,

Please rate if its helpful.

Kind Regards,

Wilson Samuel

whiteford Sun, 02/17/2008 - 07:14

Can Cisco 877 use AES-256/SHA instead of 3DES/MD5?

What's the difference between "enable secret" and "enable password"?

Danilo Dy Sun, 02/17/2008 - 07:31


Cisco 870 series routers supports AES for IPSec

I find AES faster than 3DES, I read some document that some of AES implementation is up to 6x faster than 3DES

The encryption scheme of "enable password" is weak. It should not be use in any implementation.

BTW, to add to your security. If you can use AAA for authentication it would be best and only use the local account for emergency and change its password one its has been use. Some procedure put this emergency account name and password in a security envelop and keep in a safe inside data centre and accessible only to few personnel with a sign on/off record.



whiteford Sun, 02/17/2008 - 10:20

I'll try and get the 877's to use AES-256/SHA instead of 3DES/MD5

As these are live VPN routers what would be the best was to move them over?

whiteford Sun, 02/17/2008 - 10:41

Is that AES-256/SHA change just for the encryption? Below is just an example of one of my configs VPN, what would I change:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key jgC12345h%1a address *.*.*.*



crypto ipsec transform-set T_Set esp-3des esp-md5-hmac


crypto map Crypto_Map 10 ipsec-isakmp

set peer *.*.*.*

set transform-set T_Set

match address 101


This Discussion