Cisco router admin interface is accessible from the Internet

I'm a bit new to this, so hoping somebody can shed some light on what I missed. I am setting up an Cisco 891F integrated services router in a fairly small, simple environment to act pretty much like a normal consumer router. My LAN subnet is 192.168.1.1/24, and my WAN IP is 123.123.123.123. I'm using the GigabitEthernet8 interface for my WAN, and GigabitEthernet0-7 are all being used for the LAN. Everything else is turned off.

The problem I'm experiencing is that all of the router's admin interfaces such as telnet and the HTTP web admin console is exposed to the internet on 123.123.123.123.

So presumably there's probably some firewall configuration of some sort that needs to be done, but I'm not sure where the rules should go. I also don't know if there's anything else I've forgotten as far as security hardening the router is concerned.

What do I do?

Here's the resulting configuration file:

!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL1911216R
!
!
username cisco privilege 15 secret 5 $1$xxxx$xxxxxxxxxxxxxxxx/
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description Internet Service
 ip address 123.123.123.123 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description LAN Network
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 123.123.123.123
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Open in new window

LVL 31
Frosty555Asked:
Who is Participating?
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Here is what I would recommend:

ip access-list extended WAN-IN
 deny tcp any host 123.123.123.123 eq ssh
 deny tcp any host 123.123.123.123 eq telnet
 deny udp any host 123.123.123.123 eq snmp
 deny tcp any host 123.123.123.123 eq http
 deny tcp any host 123.123.123.123 eq https
 permit ip any any

ip access-list standard 99
 permit 192.168.1.0 0.0.0.255
 deny any
interface GigabitEthernet8
 ip access-list WAN-IN in

ip http access-class 99

line vty 0 4
 access-class 99 in

Open in new window


Access Lists do have a implicit deny entry at the end so you need to make sure you permit any traffic you want to allow through the firewall.

As for the standard list, I prefer to deny explicitly anyways.


Also, ip nat outside is correct in your configuration, you do not have to worry about how you have your NAT configured since you are using Simple-NAT
0
 
arnoldCommented:
Why are you using ip nat outside on the WAN interface?

Cisco Document for example configuration

http://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800_Guide_BookMap_chapter_010.html#con_1179017


Adding access-lists/groups to handle incoming traffic.

Unfamiliar with this model, but the link suggests that the ip nat outside should be elsewhere.
0
 
Frosty555Author Commented:
The ip nat outside is there because that's what the Cisco Configuration Professional tool looked like it was trying to do. I thought it made sense, the WAN is on the "outside" of the NAT, and the LAN is on the "inside"., and NAT is doing network address translation for packets that traverse from the inside to the outside? If I remove the ip nat outside from the WAN interface, the Internet becomes immediately unavailable.

I guess what I want to do is implement the firewall rules that you typically find on a consumer router, that is for the LAN->WAN, everything is allowed, and for WAN->LAN, everything is denied except for the return traffic initiated by the LAN... how do I do that?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
arnoldCommented:
The example I posted of Cisco 800 configuration use a loop interface through which internal traffic is routed out the interface.  You need to add Access-lists to the outside interface restricting access to ....

I am unfamiliar with the config tool and what options it offers.
Unfortunately, the documentation/examples on this device are not as yet abundant.

See whether you can apply an access-list/group/restriction on the GigabitEthernet8 incoming
0
 
JustInCaseCommented:
Using firewall wizard in CCP you can configure firewall (security>>firewal) for your router and firewall will forbid configuration of router over WAN port (it is one of default settings for firewall configuration). If you don't have DMZ, choose Basic firewall, otherwise choose Advanced firewall

If you want to block access to router config from WAN manually...
Telnet is considered unsecured, you should use SSH instead.
Anyhow, to secure telnet (or SSH) you can set host (in this case 192.168.0.10) that can access router over telnet or ssh.

#config t
# access-list 55 permit 192.168.0.10
# access-list 55 deny any log

# line vty 0 4
# access-class 55 in

You can do the same for http and https access from WAN

# access-list 101 deny tcp any any eq 80
# access-list 101 deny tcp any any eq 443
# permit ip any any

# interface fa8
# ip access-group 101 in
0
 
Frosty555Author Commented:
Here was the relevant parts of the config for the end result, including port forwarding for port 80 and 443 to an internal webserver.

interface GigabitEthernet8
 description Internet
 ip address 123.123.123.123 255.255.255.252
 ip access-group WAN-IN in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.1.14 80 123.123.123.123 80 extendable
ip nat inside source static tcp 192.168.1.14 443 123.123.123.123 443 extendable
ip route 0.0.0.0 0.0.0.0 123.123.123.123
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
access-list 100 remark
!
ip access-list extended WAN-IN
 deny   tcp any host 123.123.123.123 eq 22
 deny   tcp any host 123.123.123.123 eq telnet
 deny   udp any host 123.123.123.123 eq snmp
 deny   udp any host 123.123.123.123 eq snmptrap
 permit ip any any
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.