Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cisco 1720 security

Status
Not open for further replies.
kidem

kidem

MIS
Feb 17, 2004
44
US
Im curious to know what else i can do to make my router more secure, any help is welcomed,here is the config.

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption

hostname router1

logging buffered 4096 debugging
enable secret 5

memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero

ip dhcp pool dhcppool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 7

no ip bootp server
ip audit attack action alarm reset
ip audit notify log
ip audit po max-events 100
ip cef


interface Ethernet0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
half-duplex
ntp disable
no cdp enable

interface FastEthernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
speed auto
no cdp enable

ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
ip pim bidir-enable

logging 10.10.10.66
access-list 1 permit 10.0.0.0 0.255.255.255 log
access-list 10 deny any log
access-list 100 deny icmp any any echo log
access-list 100 deny icmp any any redirect log
access-list 100 deny icmp any any mask-request log
access-list 100 permit ip any any log
access-list 100 deny icmp any any net-unreachable log
access-list 100 deny icmp any any host-unreachable log
access-list 100 deny icmp any any port-unreachable log
access-list 100 deny icmp any any parameter-problem log
access-list 100 deny icmp any any packet-too-big log
access-list 100 deny icmp any any administratively-prohibited log
access-list 100 deny icmp any any source-quench log
access-list 100 deny icmp any any echo-reply log
access-list 100 deny icmp any any ttl-exceeded log
no cdp run

line con 0
line aux 0
line vty 0 4
access-class 1 in
access-class 10 out
password <password>
no login
telnet refuse-negotiations

no scheduler allocate
end
 
Sort by date Sort by votes
Is Access list 100 turned on any of your Interfaces? Correct me if I'm wrong, but the access list won't be active unless you indicate "Ip access-group 100 in" on your OUTSIDE interface (Ethernet0)

One thing you could also think about would be these entries :

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip any host 127.0.0.1 log
access-list 100 permit ip any [your network IP address] [your network mask] est
access-list 100 deny ip [your network IP address] [your network mask] any log
access-list 100 deny tcp any any eq 22222 log
access-list 100 deny tcp any any range 60000 60020 log
access-list 100 deny udp any any eq snmp log
access-list 100 permit ip any any

info on those entries can be found at :
 
Upvote 0 Downvote
thanks guy, i posted this awhile ago and since thing have got it to be secure, thanks for the repsonse
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
228
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
592
nt8d09
nt8d09
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
372
CPM86
CPM86
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
582
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
559
Jared R
Jared R

Part and Inventory Search

Sponsor

Back
Top