Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Need help making a 1720 more secure??

Hi,

I am doing some work for a client that has a 1720. IOS 12.1

I just noticed that I can telnet in from home. How can I make this more secure? How can I tell if this unit has the VPN package? How do I view the firewall settings?

Thanks for your help,

Eric

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Need help making a 1720 more secure??

Hi,

Your image is C1700-O3Y-M. This means you have the IP/FW feature set. This feature set does include the IOS firewall but not VPN.

Regards,

Sigurbjartur

5 REPLIES
New Member

Re: Need help making a 1720 more secure??

Eric... here are 2 good links to router security. The one on the NSA's home page also has other security features. The router files are about 1/2 way down the page.

http://psyber.letifer.org/downloads/priv/cis-2.pdf

http://www.nsa.gov/snac/index.html

New Member

Re: Need help making a 1720 more secure??

Hi,

To control who can telnet into the box, you need to create an ACL which defines which source IP can telnet into the box and then you need to associate the ACL with the vtys.

!

! ACL to control telnet access

! Only permit telnet access from the 192.168.2.0/24 network

!

access-list 23 permit 192.168.2.0 0.0.0.255

!

line vty 0 4

! ACL associated with the vtys

access-class 23 in

And now only those specified by ACL 23 can telnet into the box. Instead of the Network/Wildcard you can use 'access-list 23 permit host 192.168.2.20' to allow a single host.

VPN?

The 'show version' command should yield a line that's something like :

"IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.3(1), RELEASE SOFTWARE (fc3)"

The C1700-K9O3SY7-M tells you which features are included in the software. If you see the letters 'k2' the software has VPN with 3DES encryption and if you see '56i' it has VPN with 56bit DES encryption.

If your software contains the IOS firewall feature (CBAC) you can view it's configuration using the following command:

sh ip inspect [ all | config | interfaces | name | sessions [detail]]

Regards,

Sigurbjartur

New Member

Re: Need help making a 1720 more secure??

Here is my version info:

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-O3Y-M), Version 12.1(5)T10, RELEASE SOFTWARE (fc

2)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Wed 08-Aug-01 02:34 by ccai

Image text-base: 0x800080E0, data-base: 0x806F02F4

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

Duct&Vent uptime is 41 weeks, 2 days, 15 hours, 31 minutes

System returned to ROM by power-on

System image file is "flash:c1700-o3y-mz.121-5.T10.bin"

cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory

.

Processor board ID JAD053308VL (1149039308), with hardware revision 0000

M860 processor: part number 0, mask 32

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial(sync/async) network interface(s)

32K bytes of non-volatile configuration memory.

Thanks for your help

Eric

New Member

Re: Need help making a 1720 more secure??

Hi,

Your image is C1700-O3Y-M. This means you have the IP/FW feature set. This feature set does include the IOS firewall but not VPN.

Regards,

Sigurbjartur

New Member

Re: Need help making a 1720 more secure??

Thank you for your reply.

This helps me alot,

Eric

86
Views
0
Helpful
5
Replies
CreatePlease to create content