NigelPrice
Technical User
Hello,
I have a new role and have been asked to ensure that our routers are 'secure'. I have experience with PIX VPN's, but not IOS based ones.
We have a head office and 5 branch offices that connect via VPN. From looking at the config and doing a port scan, it appears that there is little protection on our head office router. There are many access lists defined on this thing, but it appears that they are not applied.
Could someone have a quick look at the ACL config below and let me know if it is OK to apply acl 101 to the outside interface without breaking the VPN?
Also, I can't see what acl 115,125,135,145,155 and 199 are really doing.
Also, will the ip http access-class and ip access-class one commands allow me to apply and acl to prevent external telnet and http access or will this be overridden by the acl 101?
Sorry about the length of the question, but this config seems a little overdone and I wouldn't like to break the network that am newly looking after
Many thanks
Nigel
Current configuration : 6681 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname xxxxxx
!
logging buffered 10000 debugging
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable password 7 xxxxxx
!
username cisco password 7 xxxxxx
username gctisp password 7 xxxxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
group 2
!
crypto isakmp policy 4
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp identity hostname
!
crypto isakmp client configuration group cisco
key xxx
dns xx.xx.xx.xx xx.xx.xx.xx
domain xxx.com
pool fred
acl 199
!
crypto isakmp client configuration group default
key xxx
dns xx.xx.xx.xx xx.xx.xx.xx
pool fred
acl 199
!
!
crypto ipsec transform-set vicset esp-des esp-md5-hmac
crypto ipsec transform-set dessha esp-3des esp-sha-hmac
!
crypto dynamic-map mode 1
set transform-set dessha
!
!
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode
crypto map mode 2 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 120
crypto map mode 3 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 130
crypto map mode 4 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 140
crypto map mode 5 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 150
crypto map mode 6 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 160
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
no fair-queue
!
interface ATM0.1 point-to-point
pvc 1/32
encapsulation aal5snap
!
bridge-group 1
!
interface FastEthernet0
description Internal Ethernet
ip address 172.29.184.6 255.255.255.0
ip nat inside
no ip mroute-cache
speed 10
full-duplex
!
interface BVI1
ip address xxx.xxx.143.26 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map mode
!
router rip
version 2
network 172.29.0.0
!
ip local pool fred 172.29.190.1 172.29.190.254
ip nat inside source route-map nonat interface BVI1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.143.1
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 172.0.0.0 0.255.255.255
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq isakmp any
access-list 101 permit tcp any eq access-list 101 permit tcp any eq ftp any
access-list 101 permit tcp any eq ftp-data any
access-list 101 permit tcp any eq smtp any
access-list 101 permit tcp any eq 443 any
access-list 101 permit tcp any eq pop3 any
access-list 101 permit udp any eq domain any
access-list 101 deny ip any any log
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.190.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 110 permit ip 172.29.184.0 0.0.0.255 any
access-list 115 permit ip host xxx.xxx.143.26 172.29.185.0 0.0.0.255
access-list 115 permit ip 172.29.184.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 120 permit ip 172.29.184.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 120 permit ip 172.29.190.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 120 permit ip xxx.xxx.143.26 0.0.0.1 172.29.185.0 0.0.0.255
access-list 125 permit ip host xxx.xxx.143.26 172.29.186.0 0.0.0.255
access-list 125 permit ip 172.29.184.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 130 permit ip 172.29.184.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 130 permit ip 172.29.190.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 130 permit ip xxx.xxx.143.26 0.0.0.1 172.29.186.0 0.0.0.255
access-list 135 permit ip host xxx.xxx.143.26 172.29.187.0 0.0.0.255
access-list 135 permit ip 172.29.184.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 140 permit ip 172.29.184.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 140 permit ip 172.29.190.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 140 permit ip xxx.xxx.143.26 0.0.0.1 172.29.187.0 0.0.0.255
access-list 145 permit ip host xxx.xxx.143.26 172.29.189.0 0.0.0.255
access-list 145 permit ip 172.29.184.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 150 permit ip 172.29.184.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 150 permit ip 172.29.190.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 150 permit ip xxx.xxx.143.26 0.0.0.1 172.29.189.0 0.0.0.255
access-list 155 permit ip host xxx.xxx.143.26 172.29.188.0 0.0.0.255
access-list 155 permit ip 172.29.184.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 160 permit ip 172.29.184.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 160 permit ip 172.29.190.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 160 permit ip xxx.xxx.98.226 0.0.0.1 172.29.188.0 0.0.0.255
access-list 199 permit ip 172.29.184.0 0.0.0.255 any
access-list 199 permit ip 172.29.185.0 0.0.0.255 any
access-list 199 permit ip 172.29.190.0 0.0.0.255 any
access-list 199 permit ip host xxx.xxx.98.230 any
access-list 199 permit ip 172.29.186.0 0.0.0.255 any
access-list 199 permit ip 172.29.187.0 0.0.0.255 any
access-list 199 permit ip 172.29.189.0 0.0.0.255 any
access-list 199 permit ip host xxx.xxx.98.214 any
access-list 199 permit ip host xxx.xxx.98.246 any
access-list 199 permit ip host xxx.xxx.120.126 any
access-list 199 permit ip host xxx.xxx.73.30 any
!
route-map nonat permit 10
match ip address 110
!
snmp-server community stonehenge RO
snmp-server community pyramid RW
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
line vty 0 4
password 7 01140510521816
!
scheduler max-task-time 5000
no scheduler allocate
end
I have a new role and have been asked to ensure that our routers are 'secure'. I have experience with PIX VPN's, but not IOS based ones.
We have a head office and 5 branch offices that connect via VPN. From looking at the config and doing a port scan, it appears that there is little protection on our head office router. There are many access lists defined on this thing, but it appears that they are not applied.
Could someone have a quick look at the ACL config below and let me know if it is OK to apply acl 101 to the outside interface without breaking the VPN?
Also, I can't see what acl 115,125,135,145,155 and 199 are really doing.
Also, will the ip http access-class and ip access-class one commands allow me to apply and acl to prevent external telnet and http access or will this be overridden by the acl 101?
Sorry about the length of the question, but this config seems a little overdone and I wouldn't like to break the network that am newly looking after
Many thanks
Nigel
Current configuration : 6681 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname xxxxxx
!
logging buffered 10000 debugging
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable password 7 xxxxxx
!
username cisco password 7 xxxxxx
username gctisp password 7 xxxxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
group 2
!
crypto isakmp policy 4
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp key cisco123 address xx.xx.xx.xx no-xauth
crypto isakmp identity hostname
!
crypto isakmp client configuration group cisco
key xxx
dns xx.xx.xx.xx xx.xx.xx.xx
domain xxx.com
pool fred
acl 199
!
crypto isakmp client configuration group default
key xxx
dns xx.xx.xx.xx xx.xx.xx.xx
pool fred
acl 199
!
!
crypto ipsec transform-set vicset esp-des esp-md5-hmac
crypto ipsec transform-set dessha esp-3des esp-sha-hmac
!
crypto dynamic-map mode 1
set transform-set dessha
!
!
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode
crypto map mode 2 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 120
crypto map mode 3 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 130
crypto map mode 4 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 140
crypto map mode 5 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 150
crypto map mode 6 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set dessha
match address 160
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
no fair-queue
!
interface ATM0.1 point-to-point
pvc 1/32
encapsulation aal5snap
!
bridge-group 1
!
interface FastEthernet0
description Internal Ethernet
ip address 172.29.184.6 255.255.255.0
ip nat inside
no ip mroute-cache
speed 10
full-duplex
!
interface BVI1
ip address xxx.xxx.143.26 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map mode
!
router rip
version 2
network 172.29.0.0
!
ip local pool fred 172.29.190.1 172.29.190.254
ip nat inside source route-map nonat interface BVI1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.143.1
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 172.0.0.0 0.255.255.255
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq isakmp any
access-list 101 permit tcp any eq access-list 101 permit tcp any eq ftp any
access-list 101 permit tcp any eq ftp-data any
access-list 101 permit tcp any eq smtp any
access-list 101 permit tcp any eq 443 any
access-list 101 permit tcp any eq pop3 any
access-list 101 permit udp any eq domain any
access-list 101 deny ip any any log
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.190.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 110 deny ip 172.29.184.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 110 permit ip 172.29.184.0 0.0.0.255 any
access-list 115 permit ip host xxx.xxx.143.26 172.29.185.0 0.0.0.255
access-list 115 permit ip 172.29.184.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 120 permit ip 172.29.184.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 120 permit ip 172.29.190.0 0.0.0.255 172.29.185.0 0.0.0.255
access-list 120 permit ip xxx.xxx.143.26 0.0.0.1 172.29.185.0 0.0.0.255
access-list 125 permit ip host xxx.xxx.143.26 172.29.186.0 0.0.0.255
access-list 125 permit ip 172.29.184.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 130 permit ip 172.29.184.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 130 permit ip 172.29.190.0 0.0.0.255 172.29.186.0 0.0.0.255
access-list 130 permit ip xxx.xxx.143.26 0.0.0.1 172.29.186.0 0.0.0.255
access-list 135 permit ip host xxx.xxx.143.26 172.29.187.0 0.0.0.255
access-list 135 permit ip 172.29.184.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 140 permit ip 172.29.184.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 140 permit ip 172.29.190.0 0.0.0.255 172.29.187.0 0.0.0.255
access-list 140 permit ip xxx.xxx.143.26 0.0.0.1 172.29.187.0 0.0.0.255
access-list 145 permit ip host xxx.xxx.143.26 172.29.189.0 0.0.0.255
access-list 145 permit ip 172.29.184.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 150 permit ip 172.29.184.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 150 permit ip 172.29.190.0 0.0.0.255 172.29.189.0 0.0.0.255
access-list 150 permit ip xxx.xxx.143.26 0.0.0.1 172.29.189.0 0.0.0.255
access-list 155 permit ip host xxx.xxx.143.26 172.29.188.0 0.0.0.255
access-list 155 permit ip 172.29.184.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 160 permit ip 172.29.184.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 160 permit ip 172.29.190.0 0.0.0.255 172.29.188.0 0.0.0.255
access-list 160 permit ip xxx.xxx.98.226 0.0.0.1 172.29.188.0 0.0.0.255
access-list 199 permit ip 172.29.184.0 0.0.0.255 any
access-list 199 permit ip 172.29.185.0 0.0.0.255 any
access-list 199 permit ip 172.29.190.0 0.0.0.255 any
access-list 199 permit ip host xxx.xxx.98.230 any
access-list 199 permit ip 172.29.186.0 0.0.0.255 any
access-list 199 permit ip 172.29.187.0 0.0.0.255 any
access-list 199 permit ip 172.29.189.0 0.0.0.255 any
access-list 199 permit ip host xxx.xxx.98.214 any
access-list 199 permit ip host xxx.xxx.98.246 any
access-list 199 permit ip host xxx.xxx.120.126 any
access-list 199 permit ip host xxx.xxx.73.30 any
!
route-map nonat permit 10
match ip address 110
!
snmp-server community stonehenge RO
snmp-server community pyramid RW
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
line vty 0 4
password 7 01140510521816
!
scheduler max-task-time 5000
no scheduler allocate
end
