JustinBrian
asked on
CISCO 1921 Port 22 and 53 PCI Compliance
I am working with a customer who has recently gone through a PCI compliance audit and it was found that ports 22 and 53 are open. I have tried several attempts to disable Ver1 SSH and still I am unable to close these ports. I have included a running conifg of the router. I am open to any suggestions and thoughts.
Thanks Justin
Current configuration : 6661 bytes
!
! Last configuration change at 19:42:45 UTC Thu Jan 2 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname troplanc
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool ADMIN
import all
network 10.0.1.0 255.255.255.0
dns-server 75.75.75.75 76.76.76.76
default-router 10.0.1.1
!
ip dhcp pool GUEST
import all
network 192.168.0.0 255.255.255.0
dns-server 75.75.75.75 76.76.76.76
default-router 192.168.0.1
lease 0 12
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1999770955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-19997 70955
revocation-check none
rsakeypair TP-self-signed-1999770955
!
!
crypto pki certificate chain TP-self-signed-1999770955
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393939 37373039 3535301E 170D3133 30353134 31383331
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39393937
37303935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A4A8 1E248A6B 64A5CE11 A4957CDA AE0C64FD DC55DC30 F332A715 184AEBD0
B71BE062 63BC7140 D0846EE9 CC478991 99B02730 247FB01B A0305545 5D9538B3
FBF9385F F085E20E C265D7CB CE0C305C E9E82179 FD7886F6 1F255074 87554BE2
442BA09A 0D3268B2 7D70FEBE 08D74B6F 7FFFDBCD 8AFE98A7 100F800F DA9F2ACE
6BE10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E107FA 2BF516D2 44365EE4 D646CBB5 6ACF2EFA DD301D06
03551D0E 04160414 E107FA2B F516D244 365EE4D6 46CBB56A CF2EFADD 300D0609
2A864886 F70D0101 05050003 8181003D 83552CE1 4092643D FA851F22 6A9B0C2C
6F76F87E 651E8502 F6FBCAE7 F82FD612 2B9DAB99 494421CF 0EAE7636 2754B58A
3C9F2889 C3C17E2C 9905CC96 9BAAE645 B681AEAC 2A0F0B0C D1E8C22F 5FD47EE5
F1CA9CA4 0031A0BB DFB51F5F 8A64EEF1 65DCB444 E354AD61 30F003AB 7264191C
AA2E2B75 E0CA5D00 1C36E63B CE11F2
quit
license udi pid CISCO1921/K9 sn FGL172021BG
!
!
object-group network net-local
10.0.1.0 255.255.255.0
!
object-group network net-remote
10.0.5.0 255.255.255.0
!
username admin privilege 15 secret 4 9Rm7ZxlTUuYCINH6WJRoXb79cZ lK6hwDCM0m u3OzG2g
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 2
authentication pre-share
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Nancy8088! address 50.76.118.222
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 50.76.118.222
set transform-set ASA-IPSEC
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description outside
ip address 50.241.184.25 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ADMIN
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description GUEST LAN
encapsulation dot1Q 2
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
description VoIP
encapsulation dot1Q 3
ip address 10.0.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.3
description CCTV
encapsulation dot1Q 4
ip address 10.0.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 10
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.1.10 910 50.241.184.25 910 extendable
ip nat inside source static udp 10.0.1.10 910 50.241.184.25 910 extendable
ip nat inside source static tcp 10.0.1.10 3389 50.241.184.25 3389 extendable
ip nat inside source static udp 10.0.1.10 3389 50.241.184.25 3389 extendable
ip nat inside source static tcp 10.0.4.5 8080 50.241.184.25 8080 extendable
ip nat inside source static udp 10.0.4.5 8080 50.241.184.25 8080 extendable
ip nat inside source static tcp 10.0.4.5 8081 50.241.184.25 8081 extendable
ip nat inside source static udp 10.0.4.5 8081 50.241.184.25 8081 extendable
ip route 0.0.0.0 0.0.0.0 50.241.184.30
ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1.4
!
access-list 100 permit ip any any
!
!
!
control-plane
!
!
banner exec ^Cine TROP ELITE EQUIPMENT
************************** *TROP ELITE EQUIPMENT***************** ********** *
RESTRICTED ACCESS - AUTHORIZED PERSONEL ONLY - VIOLATORS WILL BE SHOT
1
RESTRICTED ACCESS - AUTHORIZED PERSONEL ONLY - VIOLATORS WILL BE SHOT
^C
banner login ^C
-------------------------- ---------- ---------- ---------- ---------- -----
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-------------------------- ---------- ---------- ---------- ---------- -----
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output none
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input none
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input none
!
scheduler allocate 20000 1000
!
end
troplanc#
Thanks Justin
Current configuration : 6661 bytes
!
! Last configuration change at 19:42:45 UTC Thu Jan 2 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname troplanc
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool ADMIN
import all
network 10.0.1.0 255.255.255.0
dns-server 75.75.75.75 76.76.76.76
default-router 10.0.1.1
!
ip dhcp pool GUEST
import all
network 192.168.0.0 255.255.255.0
dns-server 75.75.75.75 76.76.76.76
default-router 192.168.0.1
lease 0 12
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1999770955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1999770955
!
!
crypto pki certificate chain TP-self-signed-1999770955
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393939 37373039 3535301E 170D3133 30353134 31383331
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39393937
37303935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A4A8 1E248A6B 64A5CE11 A4957CDA AE0C64FD DC55DC30 F332A715 184AEBD0
B71BE062 63BC7140 D0846EE9 CC478991 99B02730 247FB01B A0305545 5D9538B3
FBF9385F F085E20E C265D7CB CE0C305C E9E82179 FD7886F6 1F255074 87554BE2
442BA09A 0D3268B2 7D70FEBE 08D74B6F 7FFFDBCD 8AFE98A7 100F800F DA9F2ACE
6BE10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E107FA 2BF516D2 44365EE4 D646CBB5 6ACF2EFA DD301D06
03551D0E 04160414 E107FA2B F516D244 365EE4D6 46CBB56A CF2EFADD 300D0609
2A864886 F70D0101 05050003 8181003D 83552CE1 4092643D FA851F22 6A9B0C2C
6F76F87E 651E8502 F6FBCAE7 F82FD612 2B9DAB99 494421CF 0EAE7636 2754B58A
3C9F2889 C3C17E2C 9905CC96 9BAAE645 B681AEAC 2A0F0B0C D1E8C22F 5FD47EE5
F1CA9CA4 0031A0BB DFB51F5F 8A64EEF1 65DCB444 E354AD61 30F003AB 7264191C
AA2E2B75 E0CA5D00 1C36E63B CE11F2
quit
license udi pid CISCO1921/K9 sn FGL172021BG
!
!
object-group network net-local
10.0.1.0 255.255.255.0
!
object-group network net-remote
10.0.5.0 255.255.255.0
!
username admin privilege 15 secret 4 9Rm7ZxlTUuYCINH6WJRoXb79cZ
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 2
authentication pre-share
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Nancy8088! address 50.76.118.222
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 50.76.118.222
set transform-set ASA-IPSEC
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description outside
ip address 50.241.184.25 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ADMIN
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description GUEST LAN
encapsulation dot1Q 2
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
description VoIP
encapsulation dot1Q 3
ip address 10.0.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.3
description CCTV
encapsulation dot1Q 4
ip address 10.0.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 10
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.1.10 910 50.241.184.25 910 extendable
ip nat inside source static udp 10.0.1.10 910 50.241.184.25 910 extendable
ip nat inside source static tcp 10.0.1.10 3389 50.241.184.25 3389 extendable
ip nat inside source static udp 10.0.1.10 3389 50.241.184.25 3389 extendable
ip nat inside source static tcp 10.0.4.5 8080 50.241.184.25 8080 extendable
ip nat inside source static udp 10.0.4.5 8080 50.241.184.25 8080 extendable
ip nat inside source static tcp 10.0.4.5 8081 50.241.184.25 8081 extendable
ip nat inside source static udp 10.0.4.5 8081 50.241.184.25 8081 extendable
ip route 0.0.0.0 0.0.0.0 50.241.184.30
ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1.4
!
access-list 100 permit ip any any
!
!
!
control-plane
!
!
banner exec ^Cine TROP ELITE EQUIPMENT
**************************
RESTRICTED ACCESS - AUTHORIZED PERSONEL ONLY - VIOLATORS WILL BE SHOT
1
RESTRICTED ACCESS - AUTHORIZED PERSONEL ONLY - VIOLATORS WILL BE SHOT
^C
banner login ^C
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
--------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output none
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input none
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input none
!
scheduler allocate 20000 1000
!
end
troplanc#
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, SSH is not bad for PCI compliance, but letting anyone access it can be. Also, noticed that you'll want to change your isakmp key now that you published it on the Internet, along with the peer IP address.
ASKER
I realized that after the fact.....to quick with the copy and paste. Thanks
No problem. Just making sure you knew about it. Rather fix it now than to post another question on why you got smacked online. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.