Hello everyone;
I have been given the task of setting up a 1721 router. I have no training in setting up routers. The below config is what I have put together from the manuals and reading the NSA website about router security. This config works but is not very secure. Could you look at it and suggest what I can do to make it more secure? I have also added to access lists I have created but not implemented yet. Will those work, are they any good?
My company uses the internet mainly for email (provider) and surfing the web. I have thought about blocking all ports but HTTP and FTP but not sure if that is the way to go.
My ISP gave me 6 IP’s. Is there a way w/ this router to setup 4 of those IP’s to be used in the NAT and 2 to be static to internal machines? Or will I have to do port replication? Right now I only use 1 IP. I would like to do something with them so I do not lose them.
------------------------------------------------------------------------------------------------------------
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "#########"
!
enable secret 5 ##########################
!
username ###### password 7 #########################
username ###### password 7 #########################
clock timezone EST 0
ip subnet-zero
ip name-server 66.255.###.###
ip name-server 66.255.###.###
!
no ip bootp server
!
!!
interface FastEthernet0
ip address 172.16.50.1 255.255.255.###
ip access-group 106 in
no ip proxy-arp
ip nat inside
speed auto
no cdp enable
!
interface Serial0
description Frame Relay
no ip address
no ip proxy-arp
ip nat outside
encapsulation frame-relay IETF
no ip route-cache
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address 66.255.138.### 255.255.255.###
ip access-group 105 in
no ip proxy-arp
ip nat outside
no ip route-cache
no cdp enable
frame-relay interface-dlci 255 IETF
!
ip nat pool vsapool 66.255.138.### 66.255.138.### netmask 255.255.255.###
ip nat inside source list 2 pool vsapool overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.255.138.###
no ip http server
!
!
ip access-list extended s0-in
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 7.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
!
logging source-interface FastEthernet0
logging 172.16.50.21
access-list 1 permit 172.16.50.21 log
access-list 1 deny any log
access-list 2 permit 172.16.50.0 0.0.0.255
access-list 105 deny tcp any any eq 6346 log
access-list 105 deny tcp any any eq 6347 log
access-list 105 permit ip any any
access-list 106 deny tcp any any eq 6346 log
access-list 106 deny tcp any any eq 6347 log
access-list 106 deny tcp any eq 6346 any log
access-list 106 deny tcp any eq 6347 any log
access-list 106 permit ip any any
no cdp run
banner motd ^C
This is a private system operated for and by
##############################
Authorization from ######### is required to use this system
Use by unauthorized persons is prohibited
^C
!
line con 0
password 7 ##########################
login
line aux 0
line vty 0 4
access-class 1 in
password 7 ###########################
login local
!
end
Here are the 2 lists I have created but not implemented
!internal
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 172.16.0.0 0.0.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 240.0.0.0 7.255.255.255 any log
access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
access-list 100 deny ip any host 172.16.50.0 log
access-list 100 permit tcp any 172.16.50.0 0.0.0.128 established
access-list 100 deny icmp any any echo log
access-list 100 deny icmp any any redirect log
access-list 100 deny icmp any any mask-request log
access-list 100 permit icmp any 172.16.50.0 0.0.0.128
access-list 100 deny tcp any any range 6000 6063 log
access-list 100 deny tcp any any eq 6667 log
access-list 100 deny tcp any any range 12345 12346 log
access-list 100 deny tcp any any eq 31337 log
access-list 100 permit tcp any eq 20 172.16.50.0 0.0.0.128 gt 1023
access-list 100 deny udp any any eq 2049 log
access-list 100 deny udp any any eq 31337 log
access-list 100 deny udp any any range 33400 34400 log
access-list 100 permit udp any eq 53 172.16.50.0 0.0.0.128 gt 1023
access-list 100 deny tcp any eq 6346 any log
access-list 100 deny tcp any any eq 6346 log
access-list 100 deny tcp any eq 6347 any log
access-list 100 deny tcp any any eq 6347 log
access-list 100 deny tcp any range 0 65535 any range 0 65535 log
access-list 100 deny udp any range 0 65535 any range 0 65535 log
access-list 100 deny ip any any log
!
!external
access-list 102 deny ip host 172.16.50.1 host 172.16.50.1 log
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any echo
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any parameter-problem
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any packet-too-big
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any source-quench
access-list 102 deny tcp any any range 1 19 log
access-list 102 deny tcp any any eq 43 log
access-list 102 deny tcp any any eq 93 log
access-list 102 deny tcp any any range 135 139 log
access-list 102 deny tcp any any eq 445 log
access-list 102 deny tcp any any range 512 518 log
access-list 102 deny tcp any any eq 540 log
access-list 102 permit tcp 172.16.50.0 0.0.0.128 gt 1023 any lt 1024
access-list 102 permit udp 172.16.50.0 0.0.0.128 gt 1023 any eq 53
access-list 102 permit udp 172.16.50.0 0.0.0.128 gt 1023 any range 33400 34400 log
access-list 102 permit ip any any
!DENY ALL - access-list 102 deny tcp any range 0 65535 any range 0 65535 log
!DENY ALL - access-list 102 deny udp any range 0 65535 any range 0 65535 logno cdp run
Thank You very much for any help you can give me
Paul
I have been given the task of setting up a 1721 router. I have no training in setting up routers. The below config is what I have put together from the manuals and reading the NSA website about router security. This config works but is not very secure. Could you look at it and suggest what I can do to make it more secure? I have also added to access lists I have created but not implemented yet. Will those work, are they any good?
My company uses the internet mainly for email (provider) and surfing the web. I have thought about blocking all ports but HTTP and FTP but not sure if that is the way to go.
My ISP gave me 6 IP’s. Is there a way w/ this router to setup 4 of those IP’s to be used in the NAT and 2 to be static to internal machines? Or will I have to do port replication? Right now I only use 1 IP. I would like to do something with them so I do not lose them.
------------------------------------------------------------------------------------------------------------
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "#########"
!
enable secret 5 ##########################
!
username ###### password 7 #########################
username ###### password 7 #########################
clock timezone EST 0
ip subnet-zero
ip name-server 66.255.###.###
ip name-server 66.255.###.###
!
no ip bootp server
!
!!
interface FastEthernet0
ip address 172.16.50.1 255.255.255.###
ip access-group 106 in
no ip proxy-arp
ip nat inside
speed auto
no cdp enable
!
interface Serial0
description Frame Relay
no ip address
no ip proxy-arp
ip nat outside
encapsulation frame-relay IETF
no ip route-cache
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address 66.255.138.### 255.255.255.###
ip access-group 105 in
no ip proxy-arp
ip nat outside
no ip route-cache
no cdp enable
frame-relay interface-dlci 255 IETF
!
ip nat pool vsapool 66.255.138.### 66.255.138.### netmask 255.255.255.###
ip nat inside source list 2 pool vsapool overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.255.138.###
no ip http server
!
!
ip access-list extended s0-in
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 7.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
!
logging source-interface FastEthernet0
logging 172.16.50.21
access-list 1 permit 172.16.50.21 log
access-list 1 deny any log
access-list 2 permit 172.16.50.0 0.0.0.255
access-list 105 deny tcp any any eq 6346 log
access-list 105 deny tcp any any eq 6347 log
access-list 105 permit ip any any
access-list 106 deny tcp any any eq 6346 log
access-list 106 deny tcp any any eq 6347 log
access-list 106 deny tcp any eq 6346 any log
access-list 106 deny tcp any eq 6347 any log
access-list 106 permit ip any any
no cdp run
banner motd ^C
This is a private system operated for and by
##############################
Authorization from ######### is required to use this system
Use by unauthorized persons is prohibited
^C
!
line con 0
password 7 ##########################
login
line aux 0
line vty 0 4
access-class 1 in
password 7 ###########################
login local
!
end
Here are the 2 lists I have created but not implemented
!internal
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 172.16.0.0 0.0.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 240.0.0.0 7.255.255.255 any log
access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
access-list 100 deny ip any host 172.16.50.0 log
access-list 100 permit tcp any 172.16.50.0 0.0.0.128 established
access-list 100 deny icmp any any echo log
access-list 100 deny icmp any any redirect log
access-list 100 deny icmp any any mask-request log
access-list 100 permit icmp any 172.16.50.0 0.0.0.128
access-list 100 deny tcp any any range 6000 6063 log
access-list 100 deny tcp any any eq 6667 log
access-list 100 deny tcp any any range 12345 12346 log
access-list 100 deny tcp any any eq 31337 log
access-list 100 permit tcp any eq 20 172.16.50.0 0.0.0.128 gt 1023
access-list 100 deny udp any any eq 2049 log
access-list 100 deny udp any any eq 31337 log
access-list 100 deny udp any any range 33400 34400 log
access-list 100 permit udp any eq 53 172.16.50.0 0.0.0.128 gt 1023
access-list 100 deny tcp any eq 6346 any log
access-list 100 deny tcp any any eq 6346 log
access-list 100 deny tcp any eq 6347 any log
access-list 100 deny tcp any any eq 6347 log
access-list 100 deny tcp any range 0 65535 any range 0 65535 log
access-list 100 deny udp any range 0 65535 any range 0 65535 log
access-list 100 deny ip any any log
!
!external
access-list 102 deny ip host 172.16.50.1 host 172.16.50.1 log
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any echo
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any parameter-problem
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any packet-too-big
access-list 102 permit icmp 172.16.50.0 0.0.0.255 any source-quench
access-list 102 deny tcp any any range 1 19 log
access-list 102 deny tcp any any eq 43 log
access-list 102 deny tcp any any eq 93 log
access-list 102 deny tcp any any range 135 139 log
access-list 102 deny tcp any any eq 445 log
access-list 102 deny tcp any any range 512 518 log
access-list 102 deny tcp any any eq 540 log
access-list 102 permit tcp 172.16.50.0 0.0.0.128 gt 1023 any lt 1024
access-list 102 permit udp 172.16.50.0 0.0.0.128 gt 1023 any eq 53
access-list 102 permit udp 172.16.50.0 0.0.0.128 gt 1023 any range 33400 34400 log
access-list 102 permit ip any any
!DENY ALL - access-list 102 deny tcp any range 0 65535 any range 0 65535 log
!DENY ALL - access-list 102 deny udp any range 0 65535 any range 0 65535 logno cdp run
Thank You very much for any help you can give me
Paul
