Securing Internet gateway - 1841 router

jtphilies · ‎03-05-2008

Hi,

I have just built a new gateway with one of our older routers an 1841. I currently have it connected to the outside world and would like to know of any further suggestions to secure it.

currently i have created an ACL so that http, https and dns only get through for now. implied deny all at the end of this acl i would expect ICMP to stop.

Also an ACL on the VTY interface to limit access only to physical console.

Below is my current config

!

hostname #########

!

ip name-server 70.70.80.#

!

interface FastEthernet0/0

description Internet

ip address 203.203.#.# 255.255.255.252

ip nat outside

speed 10

half-duplex

!

interface FastEthernet0/1

description Inside

ip address 192.168.1.253 255.255.255.0

ip access-group AllowWeb in

ip nat inside

speed auto

full-duplex

!

ip route 0.0.0.0 0.0.0.0 203.203.#.#

!

ip http server

ip nat inside source list 5 interface FastEthernet0/0 overload

!

ip access-list extended AllowWeb

permit tcp any any eq 443

permit tcp any any eq www

permit udp any any eq domain

!

access-list 5 permit 192.168.1.0 0.0.0.255

access-list 101 deny tcp any any eq telnet

!

line con 0

line aux 0

line vty 0 4

access-class 101 in

login

!

andrew.burns · ‎03-06-2008

Hi,

Securing a router is a huge topic, but there are a number of standard ways of doing it. Best thing is to go through the following training and see how closely your config matches.

http://www.cisco.com/E-Learning/bulk/public/celc/SECR/start.html

HTH

Andrew.

jtphilies · ‎03-06-2008

Thanks very much Andrew.