Cisco router admin interface is accessible from the Internet

I'm a bit new to this, so hoping somebody can shed some light on what I missed. I am setting up an Cisco 891F integrated services router in a fairly small, simple environment to act pretty much like a normal consumer router. My LAN subnet is 192.168.1.1/24, and my WAN IP is 123.123.123.123. I'm using the GigabitEthernet8 interface for my WAN, and GigabitEthernet0-7 are all being used for the LAN. Everything else is turned off.

The problem I'm experiencing is that all of the router's admin interfaces such as telnet and the HTTP web admin console is exposed to the internet on 123.123.123.123.

So presumably there's probably some firewall configuration of some sort that needs to be done, but I'm not sure where the rules should go. I also don't know if there's anything else I've forgotten as far as security hardening the router is concerned.

What do I do?

Here's the resulting configuration file:

!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL1911216R
!
!
username cisco privilege 15 secret 5 $1$xxxx$xxxxxxxxxxxxxxxx/
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description Internet Service
 ip address 123.123.123.123 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description LAN Network
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 123.123.123.123
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Select all Open in new window