[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 1801

Posted on 2009-02-09
1
Medium Priority
?
660 Views
Last Modified: 2013-11-16
I have attached a sample config. There is a gaping hole and I cannot see where it is. Any help would be appreciated

On checking the security on this config, it looks as is there is an open hole onto both NAT's servers from any IP. Where is my hole?

!This is the running config of the router: 192.168.1.170
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HORouter
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3797292871
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3797292871
 revocation-check none
 rsakeypair TP-self-signed-3797292871
!
!
crypto pki certificate chain TP-self-signed-3797292871
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373937 32393238 3731301E 170D3039 30323031 32333031
  35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37393732
  39323837 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CC45 F46F1855 D1CA1369 2981A139 EE971BF1 E5AFBF06 9C639817 BABF6732
  9311C4B5 80A65DB8 0CC9ADF1 C86E8A6A 6A2DE995 06D98964 20CEC5B1 06F5A096
  152BF86A 3EFC072E B92D8F17 8B3F4F17 18567531 40109CB4 60B04E37 8A28B841
  6253C778 F3A1FF92 81F97502 E2367043 2D18B49A C3253223 3B59CDFF A59E9C7A
  D6BB0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 1407FFE0 4CFCC749 537C02CE A01686A6 08919980
  B1301D06 03551D0E 04160414 07FFE04C FCC74953 7C02CEA0 1686A608 919980B1
  300D0609 2A864886 F70D0101 04050003 818100AF 91510D9A 901DCFEB D7804B7B
  691F0D5C 45DE885C 69D6F02C B885BB98 8ECB27DD 223605A3 917647BE AE67CF8C
  9A2A6A45 29B207D0 0734FB4A 02C3BE1C 0F0AC723 D0BAD59D 3A716C8E DC3D6062
  0B96DA54 3C1181D8 D7E68CA6 7DF858A8 30F04FF1 9C4425CB 55AC97F1 F46EDB26
  51D03680 84A86200 9B992816 4845BAB9 B38B5B
        quit
!
!
ip cef
!
!
ip domain name company.local
ip name-server 158.43.240.3
ip name-server 158.43.240.4
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username User privilege 15 secret 5 $1$b.1B$o3QU9cfdNXZHnC4pjZjW60
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Password address 81.86.229.1
crypto isakmp key Password address 81.86.229.49
crypto isakmp key Password address 81.86.60.153
!
crypto isakmp client configuration group RemoteUsers
 key Password
 dns 158.43.240.3 158.43.240.4
 domain hedleyandellis.local
 pool SDM_POOL_1
crypto isakmp profile sdm-ike-profile-1
   match identity group RemoteUsers
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA2
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to81.86.229.1
 set peer 81.86.229.1
 set transform-set ESP-3DES-SHA
 match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to81.86.229.49
 set peer 81.86.229.49
 set transform-set ESP-3DES-SHA1
 match address 106
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel to81.86.60.153
 set peer 81.86.60.153
 set transform-set ESP-3DES-SHA2
 match address 108
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
 match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
 match access-group 111
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 102
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Support_All
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map Support_All
 match access-group name Support
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  pass
 class type inspect sdm-cls-VPNOutsideToInside-2
  pass
 class type inspect sdm-cls-VPNOutsideToInside-3
  pass
 class type inspect sdm-cls-VPNOutsideToInside-4
  pass
 class type inspect sdm-cls-VPNOutsideToInside-5
  pass
 class type inspect sdm-cls-VPNOutsideToInside-6
  pass
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class class-default
policy-map type inspect sdm-permit
 class type inspect SDM_VPN_PT
  pass
 class type inspect sdm-cls-sdm-permit-1
  inspect
 class class-default
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class type inspect sdm-cls-VPNOutsideToInside-5
  pass
 class type inspect sdm-cls-VPNOutsideToInside-6
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Virtual-Template1 type tunnel
 ip unnumbered Dialer0
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
 ip address 192.168.1.170 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 81.178.60.201 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname aufn23@xtreme4.pipex.net
 ppp chap password 0 oohiabez
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.1.245 192.168.1.250
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static 192.168.1.144 81.178.60.202 route-map nonat
ip nat inside source static 192.168.1.140 81.178.60.203 route-map nonat
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended Support
 remark SDM_ACL Category=128
 permit ip host 84.92.198.2 any
 permit ip host 87.224.124.217 any
 permit ip host 81.86.229.1 any
 permit ip host 81.86.229.49 any
 permit ip host 81.86.60.153 any
 permit ip host 81.179.55.233 any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 87.224.124.216 0.0.0.7 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark SDM_ACL Category=0
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.140 192.168.2.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.140 192.168.3.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.140 192.168.4.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.140 192.168.5.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.140 192.168.6.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.144 192.168.2.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.144 192.168.3.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.144 192.168.4.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.144 192.168.5.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.144 192.168.6.0 0.0.0.255
access-list 120 permit ip host 192.168.1.140 any
access-list 120 permit ip host 192.168.1.144 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
route-map nonat permit 10
 match ip address 120
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
end





   


   

0
Comment
Question by:JonDempsey
1 Comment
 
LVL 32

Accepted Solution

by:
Kamran Arshad earned 375 total points
ID: 23598034
Hi,

I recommend using the Nipper;

nipper.titania.co.uk
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question