Cisco 806 - is it secure?

MikeWire · Apr 28, 2005

I want to see how secure my router is, just to know if it could be compromised or if there is anything I could do to make security tighter. What could I change? Here is my running config:

Building configuration...

Current configuration : 6753 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 deleted...
!
username Rites privilege 15 password 7 deleted...
username Router password 7 deleted...
username Karth privilege 15 password 7 deleted...
username Jaidu privilege 15 password 7 deleted...
username Sbask privilege 15 password 7 deleted...
ip subnet-zero
ip name-server 216.xxx.160.17
ip name-server 216.xxx.165.2
ip dhcp excluded-address 192.168.200.1
ip dhcp excluded-address 192.168.200.108
ip dhcp excluded-address 192.168.200.102
ip dhcp excluded-address 192.168.200.48
ip dhcp excluded-address 192.168.200.78
ip dhcp excluded-address 192.168.200.99
ip dhcp excluded-address 192.168.200.73
ip dhcp excluded-address 192.168.200.67
ip dhcp excluded-address 192.168.200.68
ip dhcp excluded-address 192.168.200.71
ip dhcp excluded-address 192.168.200.72
ip dhcp excluded-address 192.168.200.75
ip dhcp excluded-address 192.168.200.76
ip dhcp excluded-address 192.168.200.6
ip dhcp excluded-address 192.168.200.5
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.200.99-255.255.255.0
ip address 192.168.200.99 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address 216.xxx.177.254 255.255.255.224 secondary
ip address 216.xxx.177.74 255.255.255.240
ip access-group 111 in
ip nat outside
ip inspect myfw out
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 192.168.200.1 20 interface Ethernet1 20
ip nat inside source static tcp 192.168.200.99 23 interface Ethernet1 23
ip nat inside source static tcp 192.168.200.78 22 interface Ethernet1 22
ip nat inside source static tcp 192.168.200.48 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.200.108 80 interface Ethernet1 80
ip nat inside source static tcp 192.168.200.108 21 interface Ethernet1 21
ip nat inside source static tcp 192.168.200.1 110 interface Ethernet1 110
ip nat inside source static tcp 192.168.200.1 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.200.1 80 216.xxx.177.66 80 extendable
ip nat inside source static tcp 192.168.200.1 110 216.xxx.177.66 110 extendable
ip nat inside source static tcp 192.168.200.1 25 216.xxx.177.66 25 extendable
ip nat inside source static tcp 192.168.200.1 20 216.xxx.177.66 20 extendable
ip nat inside source static tcp 192.168.200.1 21 216.xxx.177.66 21 extendable
ip nat inside source static tcp 192.168.200.1 3389 216.xxx.177.66 3389 extendable
ip nat inside source static tcp 192.168.200.102 80 216.xxx.177.69 80 extendable
ip nat inside source static tcp 192.168.200.73 3389 216.xxx.177.73 3389 extendable
ip nat inside source static tcp 192.168.200.67 3389 216.xxx.177.67 3389 extendable
ip nat inside source static tcp 192.168.200.68 3389 216.xxx.177.68 3389 extendable
ip nat inside source static tcp 192.168.200.71 3389 216.xxx.177.71 3389 extendable
ip nat inside source static tcp 192.168.200.72 3389 216.xxx.177.72 3389 extendable
ip nat inside source static tcp 192.168.200.75 3389 216.xxx.177.75 3389 extendable
ip nat inside source static tcp 192.168.200.76 3389 216.xxx.177.76 3389 extendable
ip nat inside source static tcp 192.168.200.6 3389 216.xxx.177.77 3389 extendable
ip nat inside source static tcp 192.168.200.78 80 216.xxx.177.78 80 extendable
ip nat inside source static tcp 192.168.200.78 22 216.xxx.177.78 22 extendable
ip nat inside source static tcp 192.168.200.5 3389 216.xxx.177.74 3389 extendable
ip nat inside source static tcp 192.168.200.103 80 216.xxx.177.229 80 extendable
ip nat inside source static tcp 192.168.200.104 80 216.xxx.177.230 80 extendable
ip nat inside source static tcp 192.168.200.105 80 216.xxx.177.231 80 extendable
ip nat inside source static tcp 192.168.200.106 80 216.xxx.177.226 80 extendable
ip nat inside source static tcp 192.168.200.107 80 216.xxx.177.227 80 extendable
ip nat inside source static tcp 192.168.200.48 3389 216.xxx.177.70 3389 extendable
ip nat inside source static tcp 192.168.200.108 80 216.xxx.177.232 80 extendable
ip nat inside source static tcp 192.168.200.108 21 216.xxx.177.232 21 extendable
ip nat inside source static tcp 192.168.200.102 80 216.xxx.177.228 80 extendable
ip nat inside source static tcp 192.168.200.106 21 216.xxx.177.226 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.xxx.177.65
ip http server
ip pim bidir-enable
!
!
access-list 23 permit 192.168.200.0 0.0.0.255
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 111 permit tcp any any eq ftp-data
access-list 111 permit tcp any any eq telnet
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq smtp
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any log
no cdp run
banner login ^C Welcome ^C
banner motd ^CWelcome to the Cisco 806 router^C
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
password 7 0213097C190F5D
login local
length 0
!
scheduler max-task-time 5000
end

MikeWire · Apr 28, 2005

Bump for anyone who could help...plz...

baddos · Apr 28, 2005

Bad Idea...

banner motd ^CWelcome to the Cisco 806 router^C

Should probably be something like "Warning: Unauthorized access to this network is prohibited w/o consent... blah blah"

Also... You should probably further break down www, ftp, etc instead of doing any any in your access-list.

If you have the 3DES image... I would switch to SSH instead of telnet for administration.

Also, probably want to add these lines

Code:

no ip source-route
no ip gratuitous-arps
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
interface Null0
 no ip unreachables

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Cisco 806 - is it secure?

MikeWire

IS-IT--Management

MikeWire

IS-IT--Management

baddos

MIS

Similar threads

Part and Inventory Search

Sponsor