Solved

Wanted Cisco Router 1721 Security polices

Posted on 2002-07-21
5
290 Views
Last Modified: 2010-04-17
Hi

I have just installed Cisco 1721 on a public network ( internet connectity ) for a small office i have been given 20 ips from my ISP to use .

As of now i have done a NAT between my office ip and ISP ips .

What security measures I can undertake to gaurd against any untoward incident on my office network. please give security settings.

Can any one inform me on how PAT ( Port Address Translation works ) and how to do it , is PAT more secure than NAT.

Thanks
0
Comment
Question by:99star
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 7168069
Pat is not more secure than NAT, and it is more difficult to manage, and will break some connections.
Need a few more details from you:
What IOS feature set do you have? IP Only? Firewall?
Do you have internal servers that need to be accessed from the outside? Email? Web? DNS? FTP? POP3?
Do you have internal users that need to make VPN connections to external servers?

If you have the firewall feature set, you can enable Intrusion Detection features also.

Here are some guidelines for securing an external router, not including FW and/or IDS features:
http://www.insecure.org/news/P55-10.txt
http://nsa1.www.conxion.com/cisco/index.html
Nat/Pat discussion:
http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html
0
 

Expert Comment

by:eheston
ID: 7168644
Make sure the IOS is fairly recent General Deployment (GD) version.

Apply a telnet access-list to the router:

access-list 25 permit 192.168.1.0 0.0.0.255
line vty 0 15
 access-class 25 in

Switch to PAT if possible (not using VPN, H.323):

ip nat inside source list 1 interface Serial0/0 overload
access-list 1 permit 192.168.1.0 0.0.0.255

The reason is, PAT makes it pretty much impossible for Internet devices to create a connection to your internal hosts.  If you are using one-to-one NAT for every device, you have to rely on your access-lists much more to provide security or implement firewall IOS properly which can be confusing if you are inexperienced.  You will still need static NAT translations for any servers like e-mail, but if you only have 1 of each type, they can all be done using the same IP address (port forwarding), like this:

ip nat inside source static tcp 192.168.1.2 25 interface Serial0/0 25

The interface command in the above statement tells the router to use the IP address assigned to the Serial 0/0 interface for its NAT translations.  Make sure to coordinate your public DNS changes when making these changes, or you will be in trouble.  Have your ISP set cache times for the zone down low.  Or, you could use your current IPs and just do port forwarding for the necessary services by substituting "interface Serial 0/0 25" with "x.x.x.x 25".

There are a few more things to consider, like disabling/restricting SNMP and HTTP access to the router.  You should also setup good password security.  After you get finished with your config, test the router from the internet with a port scanner, like YAPS to make sure it is secure.

If you host an IIS server, there are few more nice things you can do with NBAR to provide more security for it.  The above are just the basics.

Good luck!
0
 
LVL 2

Expert Comment

by:edmonds_robert
ID: 7169386
Check the following link from Cisco on improving security on Cisco routers.

http://www.cisco.com/warp/public/707/21.html



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7201862
Have any of these comments been of any help to you? Do you need more information?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7333492
It appears that you have forgotten this question. I will ask Community Support to force close it unless you finalize it within 7 days.

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **

Please take a moment to revisit this question & reward your points or post additional commentary as appropriate.  Unless there is objection or further activity.

EXPERTS, please feel free to make a recommendation for points award.

If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points.  The link to the Community Support area is:

http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **
------------------------------------------------------------------------------------------------
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month3 days, 13 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question