Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
5
Helpful
5
Replies

About 877-K9 Security

aozerenfoi
Level 1
Level 1

‎09-10-2006 11:19 AM - edited ‎03-03-2019 01:57 PM

Hi,

There are 9 remote & 1 central locations in our network. As you knew, these routers have ADSL port as a wan interface. We already configured all of these 877 routers via SDM. Basic firewall was enabled in this config. And we permitted 3389 port for remote desktop connection in NAT in central router. Remote locations cannot connect to the internet. They only connect to central office (p2p) for executing application in central office.

But, when we enable basic firewall in this configuration other locations cannot connect to central office for executing the application.

1. How can remote locations connect to central office while basic firewall is enabled ?

2. How can we protect the central office router from ping, telnet, and etc. ?

Thanks & regards

Labels:
0 Helpful
5 Replies 5

jackyoung
Level 6
Level 6

‎09-10-2006 05:32 PM

Please confirm you enabled the an UDP port of 3389.

1) Yes, depends on the configuration to allow what traffic.

2) Just block the unwanted traffic or allow the application you want is fine. So in this case, you only allow the remote desktop then it already prevent the traffic other than remote desktop to pass through.

Hope this helps.

0 Helpful

aozerenfoi
Level 1
Level 1
In response to jackyoung

‎09-10-2006 10:50 PM

This is central office router config. Could you tell me on this config ?

Regards,

Preview file
7 KB
0 Helpful

jackyoung
Level 6
Level 6
In response to aozerenfoi

‎09-11-2006 12:56 AM

Sorry, I can't find any command in the router that allow thye remote desktop only. You have to configure the UDP 3389 as the only allowed traffic for remote sites.

Moreover, there are some ACL that are not required or duplicated function w/ the "deny any any" in 101.

And, can you please try to remove the access-group command in dialer and VLAN and test the connectivity first. It is used to isolate the problem of the connecitivity or the ACL.

Finally, please check below link to determine is there any need to adjust the MTU & tcp adjust-mss for larger packet.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

Hope this helps.

0 Helpful

aozerenfoi
Level 1
Level 1
In response to jackyoung

‎09-11-2006 02:10 AM

I tried to remove access-group commands from vlan1 and dialer0 interfaces. Then everybody started to connect to this router and executed the application via 3389 port.

But now i want to secure this device. I mean, close to telnet, ping, and etc. But remote locations should connect via 3389 port.

How can i do that ?

First, i will remove access-group commands from vlan and dialer interfaces. Then, what should i do ?

Regards,

0 Helpful

jackyoung
Level 6
Level 6
In response to aozerenfoi

‎09-11-2006 06:12 PM

The reason to remove the access-group is to prove the remote desktop function, seems it works so you can edit the ACL to limit the allowed traffic only in the link.

1) Copy the existing ACL to a notepad for backup

2) Edit the ACL in notepad

3) Remove the ACL in router

4) Copy the modified ACL from notepad to router

5) Enable the access-group in interface

You can modify the ACL to allow the required traffic only. Just configure it like your current ACL but add the required list. Check below link for details.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c0.html

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080430e5b.html

e.g. for telnet

access-list 101 permit tcp 10.1.1.1 255.255.255.0 20.1.1.0 255.255.255.0 eq telnet

access-list 101 deny ip any any

The first ACL is used to allow telnet traffic, the second ACL is used to deny all traffic except the list above this command.

Moreover, if you want to add an ACL to a configure ACL in router, you better use notepad to copy the whole ACL and edit it in notepad then remove that copy ACL by'no access-list 101" then copy the whole ACL from the notepad to router. Moreover, the ACL will be scanned by the router one-by-one in sequence, so be sure to put the "deny ip any any" at last, otherwise, it will block the traffic which listed below this command.

Please let us know if there is any issue.

Or please list what traffic you want to allow or filter then I try to help. You can read the links above to understand how to configure ACL first.

Hope this helps.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card