Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help securing a 1721

Status
Not open for further replies.
jlancton

jlancton

MIS
Jul 26, 2001
82
US
Hi, I've got a 1721 running IOS 12.X with the firewall feature set connecting my network via T1 to the Internet. I've got a Windows 2000 server running as a mail and web server. I want to secure the router while allowing access to the mail and web servers, as well as provide NAT access to the Internet for workstations. The configuration I have now does the NAT, but has no security. I tried adding an access list that I found in another thread, but that broke the Internet access. I'm sure I did something wrong, as I'm by no means a router guy.

Any help with some basic security configuration would be greatly appreciated.

Thanks,

-Jeff
 
Sort by date Sort by votes
You need to configure your firewall feature set first. A simple configuration would be:

ip inspect name InternetIN http
ip inspect name InternetIN smtp
ip inspect name InternetIN tcp
ip inspect name InternetIN udp
ip inspect name InternetOUT http
ip inspect name InternetOUT smtp
ip inspect name InternetOUT tcp
ip inspect name InternetOUT udp

int s0
ip inspect InternetIN in
ip inspect InternetOUT in

You would then need to configure an inbound acl, something like this:

access-list 100 permit tcp any x.x.x.x eq smtp
access-list 100 permit tcp any x.x.x.x eq http
access-list 100 deny tcp any any eq 135
access-list 100 deny tcp any any eq 80
access-list 100 deny tcp any any eq 445
access-list 100 deny tcp any any eq 1433
access-list 100 deny udp any any eq 135
access-list 100 deny udp any any eq 137
access-list 100 deny udp any any eq 139
access-list 100 deny udp any any eq 445
access-list 100 deny udp any any eq 1434
access-list 100 deny ip any any log

int S0
ip access-group 100 in

This acl will allow web and email traffic to your server, quietly drop the most common worms/hacks/viruses on the internet at the moment and log all other packet drops.

When you put this acl in place you can look at the Cisco log to see what is being dropped (using the show log command). If you find that something is broken after applying this acl then remove the access-group command from the interface until you can analyse the log (or post it here).

Note that x.x.x.x is the EXTERNAL address of your email/web server, not the internal.

HTH,
Michael.
 
Upvote 0 Downvote
Ok, the Inspect part went fine, and runs.

When I added the inbound ACL, it stopped access to the Web from workstations.

I thought it might have been because there was a deny for port 80, so I removed the list, re-entered minus that one, and still no joy.

Any ideas?

-Jeff
 
Upvote 0 Downvote
I usually put the deny 80 in because of the number of viruses that scan the internet looking for vulnerable IIS servers. If you leave that out it will still be blocked by the last line (deny any any log) but it will be sent to the log as well.

What is in the log (show log) when the access-list is in place? Post the results here (but change any external IP Addresses to x.x.x.x).

The ip inspect commands should be modifying the access-list on the fly to allow your workstations access to the internet, so you could also do a show access-list 100 to see if that is working.

HTH,
Michael.
 
Upvote 0 Downvote
Hi mates:

What about using

'access-list 100 deny tcp any any eq 80 stablished'?

This way, inbound packets belonging to a connection started outbound will traverse the router, whereas inbound connections will only be permitted to the server by

access-list 100 permit tcp any x.x.x.x eq http
access-list 100 deny tcp any any eq 80

D.
 
Upvote 0 Downvote
You could do that, but it shouldn't be necessary with the CBAC (Context Based Access Control) features of the firewall feature set. Basically, CBAC adds entries to the top of your access-list to permit replies to conversations that were initiated from inside the router (or any interface that has ip inspect activated).

Cheers,
Michael.
 
Upvote 0 Downvote
I have a similar need and was wondering how I would make my router to responed to port scans. I would like to have a stealth setup. Can I setup my router to do this?
 
Upvote 0 Downvote
Frenchie, your config looks good. However, with the device only being a 1721, the IP Inspect feature could hit hard.

I guess it is just a matter of sacraficing performance for security....
 
Upvote 0 Downvote
Hi All, thanks for the replies. Been on vacation, hence I wasn't here earlier to say thanks. I'm still working on this and will post results shortly.

Thanks again!

-Jeff
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
563
Jared R
Jared R
jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
292
DavetheChef
DavetheChef
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
710
BIS
BIS
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
380
CPM86
CPM86
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
244
badwolf1686
B

Part and Inventory Search

Sponsor

Back
Top