×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

About 877-K9 Security

Unanswered Question
Sep 10th, 2006
User Badges:

Hi,

There are 9 remote & 1 central locations in our network. As you knew, these routers have ADSL port as a wan interface. We already configured all of these 877 routers via SDM. Basic firewall was enabled in this config. And we permitted 3389 port for remote desktop connection in NAT in central router. Remote locations cannot connect to the internet. They only connect to central office (p2p) for executing application in central office.


But, when we enable basic firewall in this configuration other locations cannot connect to central office for executing the application.


1. How can remote locations connect to central office while basic firewall is enabled ?

2. How can we protect the central office router from ping, telnet, and etc. ?


Thanks & regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jackyoung Sun, 09/10/2006 - 17:32
User Badges:
  • Gold, 750 points or more

Please confirm you enabled the an UDP port of 3389.


1) Yes, depends on the configuration to allow what traffic.


2) Just block the unwanted traffic or allow the application you want is fine. So in this case, you only allow the remote desktop then it already prevent the traffic other than remote desktop to pass through.


Hope this helps.

jackyoung Mon, 09/11/2006 - 00:56
User Badges:
  • Gold, 750 points or more

Sorry, I can't find any command in the router that allow thye remote desktop only. You have to configure the UDP 3389 as the only allowed traffic for remote sites.


Moreover, there are some ACL that are not required or duplicated function w/ the "deny any any" in 101.


And, can you please try to remove the access-group command in dialer and VLAN and test the connectivity first. It is used to isolate the problem of the connecitivity or the ACL.


Finally, please check below link to determine is there any need to adjust the MTU & tcp adjust-mss for larger packet.


http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html


Hope this helps.



aozerenfoi Mon, 09/11/2006 - 02:10
User Badges:

I tried to remove access-group commands from vlan1 and dialer0 interfaces. Then everybody started to connect to this router and executed the application via 3389 port.


But now i want to secure this device. I mean, close to telnet, ping, and etc. But remote locations should connect via 3389 port.


How can i do that ?


First, i will remove access-group commands from vlan and dialer interfaces. Then, what should i do ?


Regards,

jackyoung Mon, 09/11/2006 - 18:12
User Badges:
  • Gold, 750 points or more

The reason to remove the access-group is to prove the remote desktop function, seems it works so you can edit the ACL to limit the allowed traffic only in the link.


1) Copy the existing ACL to a notepad for backup

2) Edit the ACL in notepad

3) Remove the ACL in router

4) Copy the modified ACL from notepad to router

5) Enable the access-group in interface



You can modify the ACL to allow the required traffic only. Just configure it like your current ACL but add the required list. Check below link for details.


http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c0.html


http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080430e5b.html


e.g. for telnet


access-list 101 permit tcp 10.1.1.1 255.255.255.0 20.1.1.0 255.255.255.0 eq telnet

access-list 101 deny ip any any


The first ACL is used to allow telnet traffic, the second ACL is used to deny all traffic except the list above this command.


Moreover, if you want to add an ACL to a configure ACL in router, you better use notepad to copy the whole ACL and edit it in notepad then remove that copy ACL by'no access-list 101" then copy the whole ACL from the notepad to router. Moreover, the ACL will be scanned by the router one-by-one in sequence, so be sure to put the "deny ip any any" at last, otherwise, it will block the traffic which listed below this command.


Please let us know if there is any issue.


Or please list what traffic you want to allow or filter then I try to help. You can read the links above to understand how to configure ACL first.


Hope this helps.


Actions

This Discussion