IN/OUT TRAFFIC5.6 Since you're using a Cisco ASR router, and it’s accessible publicly via its WAN interface with IP 164.120.228.211, you should restrict access to management services (like SSH, Telnet, HTTP/HTTPS) from the internet. Here’s how to secure your Cisco ASR router:
Step-by-Step: Block Public Access to Router on Cisco ASR
# Step 1: Restrict VTY (SSH/Telnet) Access with ACL - Create an access list that only permits trusted IPs, like your internal admin workstation or jump server.
! Create an ACL that permits only specific IPsRouter(config)# ip access-list standard ADMIN_ONLY
Router(config-stn-nacl)# permit 192.168.1.100 ! Trusted admin IP
deny any
Apply it to VTY lines:
Router(config)# line vty 0 4
Router(config)# access-class ADMIN_ONLY in
Router(config)# transport input ssh
Router(config)# end
Result: This blocks SSH access from the internet except from 192.168.1.100
# Step 2: Disable HTTP/HTTPS Access (if not used)
Router(config)# no ip http serverRouter(config)# no ip http secure-server
Note: If you need HTTPS access from internal IPs, apply an access-class instead
Step 3: Create an Access Control List to Block Inbound Management!
Router(config)# ip access-list extended BLOCK_MANAGEMENTRouter(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 22 ! SSH
Router(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 23 ! Telnet
Router(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 80 ! HTTP
Router(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 443 ! HTTPS
Router(config-ext-nacl)# permit ip any any ! Allow all else (careful with this)
Apply the ACL inbound on the WAN interface:
Router(config)# interface GigabitEthernet0/0/0
Router(config)# ip access-group BLOCK_MANAGEMENT in
Router(config)# ip route 0.0.0.0 0.0.0.0 11.120.228.210
Step 4: (Optional) Use control-plane Policing (CoPP) - For advanced security, limit control-plane traffic using CoPP
Router(config)# class-map match-any MGMTRouter(config-class)# match access-group name ADMIN_ONLY
Router(config-class)# exit
!
Router(config)# policy-map CONTROL_PLANE
Router(config-policy)# class MGMT
Router(config-policy)# police 32000 1500 ! conform-action transmit exceed-action drop
Router(config-class)# exit
!
Router(config)# control-plane
Router(config-class)# service-policy input CONTROL_PLANE
Router(config-class)# exit
# Confirm It's Working - From an external network (not in the permitted IP range):
:Try SSH: ssh admin@202.170.202.34
:Port scan: nmap -Pn 202.170.202.34
#Summary: Action with command
Restrict VTY : access-class on line vtyDisable HTTP/S : no ip http server
Block management from WAN : ip access-list + ip access-group in
Secure control plane : Use CoPP (optional but good for DDoS mitigation)
: STANDARD ACLs
Standard ACLs are the oldest type of ACL. They date back to as early as Cisco IOS Software Release 8.3. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.This is the command syntax format of a standard ACL, as per mentioned below.
access-list
: EXTENDED ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.This is the command syntax format of extended ACLs. Lines are wrapped here for space considerations.
IP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]
ICMP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard destination destination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
TCP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]
UDP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
Be updated into yourself and improve lives through DIT
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15243-19.html
0 Comments