Critique my router config (Cisco)

[y2kc]

I have a Cisco 1605R that I use as a router for my Cable service. I'm NATing (of course) and it's been a rock for a couple of years now. I'm no IOS/Security guru therefore I'm wondering if any of you guys would mind taking a peak at my config and let me know if you see any holes and/or glaring ommisions that I should attend to. I will post the config here if you wish (sans the public IP) or I cam PM it to you. I'm just looking for suggestions, I don't expect any of you to rewrite the config or anything like that. Be as specific as you can without burdening yourself or feeling like your giving me free consultation. I will gladly post it here if any of you is willing.... Thanks.

 

[Lord Evermore]

Post it here so anybody that wants can just comment. 🙂

There's probably not a whole lot of "security" changes that can be made, since with NAT nobody's getting past the router.

 

[y2kc]

Thanks, Here goes...

Current configuration : 2853 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret xxxxx...
enable password xxxxx...
!
ip subnet-zero
ip name-server xxxx.x.x
ip name-server xx.xx.x.x
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Serial_Out tcp
ip inspect name Serial_Out udp
ip inspect name Serial_Out cuseeme
ip inspect name Serial_Out ftp
ip inspect name Serial_Out h323
ip inspect name Serial_Out rcmd
ip inspect name Serial_Out realaudio
ip inspect name Serial_Out smtp
ip inspect name Serial_Out streamworks
ip inspect name Serial_Out vdolive
ip inspect name Serial_Out sqlnet
ip inspect name Serial_Out tftp
ip inspect name Serial_Out http java-list 50
ip inspect name Serial_In tcp
ip inspect name Serial_In udp
ip inspect name Serial_In smtp
ip inspect name Serial_In http java-list 50
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0
ip address dhcp
ip access-group 100 in
no ip redirects
ip nat outside
ip inspect Serial_In in
ip inspect Serial_Out out
traffic-shape rate 3450000 34500 34500 64
no cdp enable
!
interface Ethernet1
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
ip nat pool fwall xx.xx.xxx.xxx xx.xx.xxx.xxx prefix-length 25
ip nat inside source list 9 pool fwall overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip http server
!
access-list 9 permit 10.0.0.0 0.0.0.255
access-list 50 permit any
access-list 75 permit 10.0.0.0 0.255.255.255
access-list 100 permit gre host xxx.xxx.xxx.xx any
access-list 100 permit tcp host xxx.xxx.xxx.xx any range 135 139
access-list 100 permit udp host xxx.xxx.xxx.xx any range 135 netbios-ss
access-list 100 permit tcp host xxx.xxx.xxx.xx any eq 445
access-list 100 permit udp host xxx.xxx.xxx.xx any eq 445
access-list 100 permit udp host xx.xx.x.x eq domain any
access-list 100 permit udp host xx.xx.x.x eq domain any
access-list 100 deny tcp any any range 135 139
access-list 100 deny udp any any range 135 netbios-ss
access-list 100 deny tcp any any eq 445
access-list 100 deny udp any any eq 445
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip 240.0.0.0 7.255.255.255 any
access-list 100 deny ip 248.0.0.0 7.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny icmp any any
!
line con 0
access-class 75 in
line vty 0 4
access-class 75 in
password xxxx
login
!
end


There it is. I've masked the IPs for obvious reasons. Thanks for taking the time to check it out. Go easy on me, I'm still learning Cisco IOS. 😱

 

[Oaf357]

Pretty good from what I can see.

The NSA has numerous, relatively up-to-date Security Guides one of them being for Cisco products (I find their Router Security Configuration Guide, Executive Summary very useful as a baseline security setup/checklist).

 

[y2kc]

Thanks for the link. Here's a question; when I go to some "firewall test" sites I always seem to pass with flying colors but they never fail to display the private IP address of the PC I'm testing from. they somehow see right through NAT. Is there a way to prevent this via the Access List?

 

[alrox]

You don't need an access class on con 0.

99% of 'firewall test' sites are worthless. Run nmap instead.

 

[Oaf357]

Originally posted by: y2kc
Thanks for the link. Here's a question; when I go to some "firewall test" sites I always seem to pass with flying colors but they never fail to display the private IP address of the PC I'm testing from. they somehow see right through NAT. Is there a way to prevent this via the Access List?

Probably has something to do with your browser. If you want you can test this theory on a contact page I created for my web site. It uses PHP and should pull info regarding your connection from your browser session. I'll e-mail you the results upon receipt.

 

[Lord Evermore]

It probably doesn't cause any "issues", but why do you have the entire 10.0.0.0/8 block for your LAN? 🙂

 

[y2kc]

You don't need an access class on con 0.

Thank you sir.

99% of 'firewall test' sites are worthless. Run nmap instead.

Great, I'll do a google search for it.

Thanks again

 

[y2kc]

Probably has something to do with your browser. If you want you can test this theory on a contact page I created for my web site. It uses PHP and should pull info regarding your connection from your browser session. I'll e-mail you the results upon receipt.

Thanks, I filled out the form and sent it through.

 

[y2kc]

It probably doesn't cause any "issues", but why do you have the entire 10.0.0.0/8 block for your LAN? 🙂

LOL, it requires less typing (joke) and no, it doesn't cause any issues but if there's a reason why I shouldn't please let me know, that's easy enough to fix.

 

[Oaf357]

NMAP

But running it inside your firewall isn't a very good test. Install it on a PC outside of your firewall and do a nmap -v -v -sS -O xxx.xxx.xxx.xxx (the xxx's representing your router).

 

[y2kc]

But running it inside your firewall isn't a very good test. Install it on a PC outside of your firewall and do a nmap -v -v -sS -O xxx.xxx.xxx.xxx (the xxx's representing your router).

cool, i've got a machine outside of my LAN (different public IP) that I'll run it on. Thanks for the link.

 

[Oaf357]

No problem there are a few websites that will allow you to NMAP yourself but you'd have to Google around for them.

 

[Garion]

One thing to add. Global config command. "service password-encryption" Encrypts your passwords so when you do a show config they aren't displayed.

- G

 

[Oaf357]

Originally posted by: Garion
One thing to add. Global config command. "service password-encryption" Encrypts your passwords so when you do a show config they aren't displayed.

- G

He's got that. But, you're absolutely right.

 

[Garion]

Originally posted by: Oaf357

Originally posted by: Garion
One thing to add. Global config command. "service password-encryption" Encrypts your passwords so when you do a show config they aren't displayed.

- G

He's got that. But, you're absolutely right.

Whoopst, I just assumed from the deleted passwords and the lack of the "encrypted" it wasn't there. My bad.

- G