Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!
Cisco router admin interface is accessible from the Internet
I'm a bit new to this, so hoping somebody can shed some light on what I missed. I am setting up an Cisco 891F integrated services router in a fairly small, simple environment to act pretty much like a normal consumer router. My LAN subnet is 192.168.1.1/24, and my WAN IP is 123.123.123.123. I'm using the GigabitEthernet8 interface for my WAN, and GigabitEthernet0-7 are all being used for the LAN. Everything else is turned off.
The problem I'm experiencing is that all of the router's admin interfaces such as telnet and the HTTP web admin console is exposed to the internet on 123.123.123.123.
So presumably there's probably some firewall configuration of some sort that needs to be done, but I'm not sure where the rules should go. I also don't know if there's anything else I've forgotten as far as security hardening the router is concerned.
What do I do?
Here's the resulting configuration file:
The problem I'm experiencing is that all of the router's admin interfaces such as telnet and the HTTP web admin console is exposed to the internet on 123.123.123.123.
So presumably there's probably some firewall configuration of some sort that needs to be done, but I'm not sure where the rules should go. I also don't know if there's anything else I've forgotten as far as security hardening the router is concerned.
What do I do?
Here's the resulting configuration file:
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL1911216R
!
!
username cisco privilege 15 secret 5 $1$xxxx$xxxxxxxxxxxxxxxx/
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description Internet Service
ip address 123.123.123.123 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description LAN Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 123.123.123.123
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
The ip nat outside is there because that's what the Cisco Configuration Professional tool looked like it was trying to do. I thought it made sense, the WAN is on the "outside" of the NAT, and the LAN is on the "inside"., and NAT is doing network address translation for packets that traverse from the inside to the outside? If I remove the ip nat outside from the WAN interface, the Internet becomes immediately unavailable.
I guess what I want to do is implement the firewall rules that you typically find on a consumer router, that is for the LAN->WAN, everything is allowed, and for WAN->LAN, everything is denied except for the return traffic initiated by the LAN... how do I do that?
I guess what I want to do is implement the firewall rules that you typically find on a consumer router, that is for the LAN->WAN, everything is allowed, and for WAN->LAN, everything is denied except for the return traffic initiated by the LAN... how do I do that?
The example I posted of Cisco 800 configuration use a loop interface through which internal traffic is routed out the interface. You need to add Access-lists to the outside interface restricting access to ....
I am unfamiliar with the config tool and what options it offers.
Unfortunately, the documentation/examples on this device are not as yet abundant.
See whether you can apply an access-list/group/restrict
I am unfamiliar with the config tool and what options it offers.
Unfortunately, the documentation/examples on this device are not as yet abundant.
See whether you can apply an access-list/group/restrict
Using firewall wizard in CCP you can configure firewall (security>>firewal) for your router and firewall will forbid configuration of router over WAN port (it is one of default settings for firewall configuration). If you don't have DMZ, choose Basic firewall, otherwise choose Advanced firewall
If you want to block access to router config from WAN manually...
Telnet is considered unsecured, you should use SSH instead.
Anyhow, to secure telnet (or SSH) you can set host (in this case 192.168.0.10) that can access router over telnet or ssh.
#config t
# access-list 55 permit 192.168.0.10
# access-list 55 deny any log
# line vty 0 4
# access-class 55 in
You can do the same for http and https access from WAN
# access-list 101 deny tcp any any eq 80
# access-list 101 deny tcp any any eq 443
# permit ip any any
# interface fa8
# ip access-group 101 in
If you want to block access to router config from WAN manually...
Telnet is considered unsecured, you should use SSH instead.
Anyhow, to secure telnet (or SSH) you can set host (in this case 192.168.0.10) that can access router over telnet or ssh.
#config t
# access-list 55 permit 192.168.0.10
# access-list 55 deny any log
# line vty 0 4
# access-class 55 in
You can do the same for http and https access from WAN
# access-list 101 deny tcp any any eq 80
# access-list 101 deny tcp any any eq 443
# permit ip any any
# interface fa8
# ip access-group 101 in
Here is what I would recommend:
Access Lists do have a implicit deny entry at the end so you need to make sure you permit any traffic you want to allow through the firewall.
As for the standard list, I prefer to deny explicitly anyways.
Also, ip nat outside is correct in your configuration, you do not have to worry about how you have your NAT configured since you are using Simple-NAT
ip access-list extended WAN-IN
deny tcp any host 123.123.123.123 eq ssh
deny tcp any host 123.123.123.123 eq telnet
deny udp any host 123.123.123.123 eq snmp
deny tcp any host 123.123.123.123 eq http
deny tcp any host 123.123.123.123 eq https
permit ip any any
ip access-list standard 99
permit 192.168.1.0 0.0.0.255
deny any
interface GigabitEthernet8
ip access-list WAN-IN in
ip http access-class 99
line vty 0 4
access-class 99 in
Access Lists do have a implicit deny entry at the end so you need to make sure you permit any traffic you want to allow through the firewall.
As for the standard list, I prefer to deny explicitly anyways.
Also, ip nat outside is correct in your configuration, you do not have to worry about how you have your NAT configured since you are using Simple-NAT
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Here was the relevant parts of the config for the end result, including port forwarding for port 80 and 443 to an internal webserver.
interface GigabitEthernet8
description Internet
ip address 123.123.123.123 255.255.255.252
ip access-group WAN-IN in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.1.14 80 123.123.123.123 80 extendable
ip nat inside source static tcp 192.168.1.14 443 123.123.123.123 443 extendable
ip route 0.0.0.0 0.0.0.0 123.123.123.123
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
access-list 100 remark
!
ip access-list extended WAN-IN
deny tcp any host 123.123.123.123 eq 22
deny tcp any host 123.123.123.123 eq telnet
deny udp any host 123.123.123.123 eq snmp
deny udp any host 123.123.123.123 eq snmptrap
permit ip any any
interface GigabitEthernet8
description Internet
ip address 123.123.123.123 255.255.255.252
ip access-group WAN-IN in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.1.14 80 123.123.123.123 80 extendable
ip nat inside source static tcp 192.168.1.14 443 123.123.123.123 443 extendable
ip route 0.0.0.0 0.0.0.0 123.123.123.123
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
access-list 100 remark
!
ip access-list extended WAN-IN
deny tcp any host 123.123.123.123 eq 22
deny tcp any host 123.123.123.123 eq telnet
deny udp any host 123.123.123.123 eq snmp
deny udp any host 123.123.123.123 eq snmptrap
permit ip any any
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Cisco Document for example configuration
http://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800_Guide_BookMap_chapter_010.html#con_1179017
Adding access-lists/groups to handle incoming traffic.
Unfamiliar with this model, but the link suggests that the ip nat outside should be elsewhere.