I've got an 1841 router connected to a DSL line and serving as a firewall for a small LAN. From the LAN's perspective all is working fine, but when I ran a port scan from the outside I saw that Telnet and SSH are indicated open. I'd have thought I had both of those covered:
- I have an inbound ACL whose only line is "deny ip any any" applied to my external interface. I don't have it applied to my dialer interface; when I tried that it blocked all traffic out from the LAN for some reason. Shouldn't what I have block Telnet and SSH even to the router itself?
- I've done the rsa zeroize thing, which should have deactivated SSH, shouldn't it? Not sure why SSH is still even an issue here.
- Bonus question: should my "ip inspect CBAC out" be on f0/0 as I have it, or is it better to put it on the dialer interface?
Config pasted here:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname somerouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
memory-size iomem 25
ip cef
!
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC icmp router-traffic
ip inspect name CBAC https
ip inspect name CBAC imap
ip inspect name CBAC dns
ip inspect name CBAC isakmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address a.b.c.1 a.b.c.49
ip dhcp excluded-address a.b.c.100 a.b.c.254
!
ip dhcp pool LANDefault
network a.b.c.0 255.255.255.0
default-router a.b.c.1
dns-server 4.2.2.4 4.2.2.2
!
ip dhcp pool LANStatic
host a.b.c.50 255.255.255.0
client-identifier xxxx.xxxx.xxxx.xx
!
!
ip domain name somedomian.com
!
!
!
username someguy privilege 15 password 7 xxxxxxxxxxxxxxxxxx
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
no ip address
ip access-group inbound-filter in
ip inspect CBAC out
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address a.b.c.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group outbound-filter out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username
someguy@someisp.net password 7 xxxxxxxxxxxxxx
ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
!
ip access-list extended inbound-filter
deny ip any any
ip access-list extended outbound-filter
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit udp any any eq tftp
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 143
permit tcp any any eq 1863
permit tcp any any range 6891 6900
permit udp any any range 6891 6900
permit tcp any any eq 5190
permit tcp any any eq 5050
permit udp any any eq 1200
permit tcp any any range 27000 27040
permit udp any any range 27000 27040
permit tcp any any eq 6112
permit tcp any any eq 3724
permit udp any any eq 3724
permit tcp any any range 1119 1120
permit udp any any range 1119 1120
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
permit tcp host a.b.c.26 any eq 123
permit icmp any any
deny ip any any
!
access-list 10 permit a.b.c.0 0.0.0.255
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxx
login
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxx
login local
line vty 5 15
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxx
login local
!
scheduler allocate 20000 1000
end
Register
Search 
Login
