Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
4
Replies

Router security

shahid_duet
Level 1
Level 1

‎03-22-2012 04:27 AM - edited ‎03-04-2019 03:45 PM

Dear All

I m using cisco 2821,C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, as DMZ router. I want to secure my outside interface as no one can reach my router.

What policy and security i can apply to router ?

How i do it ??

Thanking You

shahid

Labels:
0 Helpful
4 Replies 4

Latchum Naidu
VIP Alumni
VIP Alumni

‎03-22-2012 05:52 AM

Hi shahid,

What you can do is...

1. create a access-list and apply to line con so that no one can telnet or ssh to your router except the permitted IP's or network in that access-list.
2. define a extened access-list which all networks you want allow and at the end you can deny any any.
3. Disable http server.
4. Use SNMP server feature if you have SNMP enabled on your router.


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-22-2012 09:50 AM

Disclaimer

The    Author of this posting offers the information  contained within this    posting without consideration and with the  reader's understanding  that   there's no implied or expressed suitability  or fitness for any   purpose.  Information provided is for informational  purposes only and   should not  be construed as rendering professional  advice of any kind.   Usage of  this posting's information is solely at  reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever    (including,  without limitation, damages for loss of use, data or    profit) arising  out of the use or inability to use the posting's    information even if  Author has been advised of the possibility of  such   damage.

Posting

Have an external interface input ACL that blocks all traffic to the interface's IP (except for routing or other known/approved traffic to the interface's IP).  (I.e. external traffic with interface's IP as destination)

Extend the ACL to control what traffic you allow to transit the interface, inbound, or firewall rules and/or NAT.

0 Helpful

Nandan Mathure
Level 1
Level 1

‎03-23-2012 06:39 AM

@shahid_duet

I would suggest you can use either 1] Reflexive access-lists 2] Context Based access-lists or 3] Zone based firewall solution. (depending on complexity)

In case of zone based solution you can inspect the tcp,udp,ip,icmp traffic as required or allow the selected traffic just to pass without inspection, etc. Only return traffic is allowed that was generated Inside or on router. All the traffic originating outside will be dropped by default except if you specify.

0 Helpful

thiland
Level 3
Level 3

‎03-23-2012 10:31 AM

In addition to what others have already said, you can get specific configuration snippets by using IOS Auto Secure and reviewing the NSA Router Security Guides.

I would suggest running auto secure on a non-production device, manually modifying the resulting config to suit your needs, then applying to your production router.

IOS Auto Secure

Router# auto secure full

NSA Cisco Router Guides

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/cisco_router_guides.shtml

Cisco SAFE Network Foundation CVD

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/networking_solutions_products_genericcontent0900aecd805f631a.html

Cisco Network Security Baseline Sample Config

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/appendxA.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card