Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Securing my 827

Hey all,

Got the basic config of my 827 going, however I want to disable ICMP replys to external, and close telnet off. Anyone got any suggestions on general hardening of the below config? Cheers.

ow run

Building configuration...

Current configuration : 1624 bytes


version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption


hostname X


logging rate-limit console 10 except errors

enable secret 5 X


username X privilege 15 password 7 X

username X password 7 X

ip subnet-zero

no ip finger

ip name-server X

ip name-server X


no ip dhcp-client network-discovery

vpdn enable

no vpdn logging


vpdn-group 1


protocol pppoe





interface Ethernet0

ip address

ip adjust-mss 1452

ip nat inside


interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/35

protocol pppoe

pppoe-client dial-pool-number 1


pvc 8/35

protocol pppoe

pppoe-client dial-pool-number 1



dsl operating-mode auto


interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname ahucker

ppp chap password 7 X

ppp pap sent-username X password 7 X

ppp ipcp dns request

ppp ipcp wins request


ip classless

ip route Dialer1

no ip http server


ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip any

dialer-list 1 protocol ip permit


line con 0

transport input none

stopbits 1

line vty 0 4

exec-timeout 30 0

login local

length 0


scheduler max-task-time 5000



Re: Securing my 827

Step 1 To disable ICMP debug messages, enter the following command:

hostname(config)# no debug icmp trace

Step 2 To disable logging, if desired, enter the following command:

hostname(config)# no logging on

Step 3 To remove the ICMPACL access list, and also delete the related access-group commands, enter the following command: hostname(config)# no access-list ICMPACL

Step 4 (Optional) To disable the ICMP inspection engine, enter the following command:

hostname(config)# no service-policy ICMP-POLICY

New Member

Re: Securing my 827

Some things you might consider:

-global commands-

no snmp-server

no ip identd

no ip bootp server

no ip source-route

no ip gratuitous-arps

no ip directed-broadcast

no ip domain-lookup

no ip http server

no ip http secure-server

no cdp run

service tcp-keepalives-in

service tcp-keepalives-out

service sequence-numbers

login on-failure log

login on-success log

login block-for 60 attempts 3 within 30

-use ssh only to connect to router, if possible force version 2 and put access list to restrict vty access

ip ssh version 2

line vty 0 4

transport input ssh

- on interfaces use the following -

no ip redirects

no ip unreachables

no ip proxy-arp

no ip directed-broadcast

no cdp enable

ntp disable

- to disable common ip vulnerabilities

Beyond that, set up good logging and a trusted time source. Also, access lists to filter packets that should not be entering an interface, for example on int e0 block all but, depending on how paranoid you want to be. On external interface block private networks, loopback, multicast, etc.



New Member

Re: Securing my 827

I have found the SDM_LOW config to be vunerable to attack.

I have tried running this config and I get inundated with disconnects and the dialer interface being hammered untill it falls over.

I am trying to find out if my 837 can be upgraded to a stronger IOS version so that I can beef up the firewall with SDM.

Otherwise I will have to read up on firewalls and edit the config myself.

Re: Securing my 827


There is one or two ways to completely lockdown your router, because given you config it is a bit exposed. Download SDM from cisco, and install it either on the router or on your PC. You should run the firewall wizard and then run the Security Check tool. Both of these ensure that you router is fairly secure. These enable all interface security, IOS firewall, application layer packet inspection and stateful packet inspection.

Also, you can deny access to telnet from SDM also.

A good learning curve here is to look at you config before and after SDM features are implemented.

Otherwise the below config will suffice;

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive



interface dial0

ip inspect SDM_LOW out

ip access-group 101 in



access-list 101 permit gre any any (Allow external PPTP)

access-list 101 deny ip any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip any

access-list 101 deny ip any

access-list 101 deny ip any

access-list 101 deny ip any

access-list 101 deny ip host any

access-list 101 deny ip host any



access-list 23 permit tcp

access-list 23 deny any any


line vty 0 4


password *password*

access-class 23 in


The above locks telnet down to the subnat adn the 101 acl denys icmp reply from the ADSL interface.

HTH, Pls Rate Posts

========================== A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
CreatePlease to create content