[SLUG] cisco router/wireless security

From: Darrin Jones (darrin@ravenrock.net)
Date: Wed Jan 11 2006 - 21:46:13 EST


OK, hopefully this might benefit/entertain others. Else I can take it
off-list if need be.

So, I'm working on my CCNA (From the books/net, no class. =( )and I just
redid my network. The config I have is working and an nmap scan of the
outside (cable modem) interface shows all ports filtered. However, I added a
wireless router onto the 806 instead of running it separate and I'm guessing
I've probably missed a big hole somewhere. Like presenting 2 interfaces to
the world instead of one. Albeit one is non-routable. Yes, I realize NTP
might be a problem. I tried to set no login on the vty's but it (I) messed
up AAA somehow doing that.

I have 128 bit WEP on the wireless. I don't broadcast the SSID and the ports
are filtered there as well. I guess my question is do I need a policy on the
inside cisco interface? Is my idea correct that the 806 can be a DMZ after I
connect the other routers? Or am I getting way past myself here LOL.

Right now it looks like this. I will be attaching a 2503, 2505 and 1924
later to practice on. Also, I'm getting Prelude-IDS (Nagios, Nessus, Snort,
Samhain) set up on the .2 linux box.

Thanks,

Darrin

Internet (cable) --- (DHCP) cisco 806 (192.168.0.1) --- (.2,.3)
                                        |
                                        |
                                (192.168.0.4)
                                netgear wireless
                                (192.168.1.1)
                                        |
                                        |
                                (wireless hosts)

Here is the config:

Using 7260 out of 131072 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
security passwords min-length 11
logging console critical
logging monitor informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip dhcp excluded-address 192.168.0.1 192.168.0.4
!
ip dhcp pool CLIENT
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   lease 0 2
!
!
ip domain name XXXXXXXXXXXXXXXXXXX
ip host elektra 192.168.0.2
ip host lumi 192.168.0.3
ip host wgt624 192.168.0.4
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 5 attempts 5 within 5
no ftp-server write-enable
!
!
username XXX secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
interface Ethernet0
 description LAN Interface
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 description WAN Interface
 ip address dhcp client-id Ethernet1
 ip access-group autosec_complete_bogon in
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 no cdp enable
!
ip classless
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 102 interface Ethernet1 overload
!
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended autosec_complete_bogon
 permit icmp any any administratively-prohibited
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit icmp any any unreachable
 permit udp any eq bootps any eq bootpc
 permit udp any eq bootps any eq bootps
 permit udp any eq domain any
 permit udp any any eq ntp
 deny ip 1.0.0.0 0.255.255.255 any
 deny ip 2.0.0.0 0.255.255.255 any
 deny ip 5.0.0.0 0.255.255.255 any
 deny ip 7.0.0.0 0.255.255.255 any
 deny ip 23.0.0.0 0.255.255.255 any
 deny ip 27.0.0.0 0.255.255.255 any
 deny ip 31.0.0.0 0.255.255.255 any
 deny ip 36.0.0.0 0.255.255.255 any
 deny ip 37.0.0.0 0.255.255.255 any
 deny ip 39.0.0.0 0.255.255.255 any
 deny ip 41.0.0.0 0.255.255.255 any
 deny ip 42.0.0.0 0.255.255.255 any
 deny ip 49.0.0.0 0.255.255.255 any
 deny ip 50.0.0.0 0.255.255.255 any
 deny ip 58.0.0.0 0.255.255.255 any
 deny ip 59.0.0.0 0.255.255.255 any
 deny ip 60.0.0.0 0.255.255.255 any
 deny ip 70.0.0.0 0.255.255.255 any
 deny ip 71.0.0.0 0.255.255.255 any
 deny ip 72.0.0.0 0.255.255.255 any
 deny ip 73.0.0.0 0.255.255.255 any
 deny ip 74.0.0.0 0.255.255.255 any
 deny ip 75.0.0.0 0.255.255.255 any
 deny ip 76.0.0.0 0.255.255.255 any
 deny ip 77.0.0.0 0.255.255.255 any
 deny ip 78.0.0.0 0.255.255.255 any
 deny ip 79.0.0.0 0.255.255.255 any
 deny ip 83.0.0.0 0.255.255.255 any
 deny ip 84.0.0.0 0.255.255.255 any
 deny ip 85.0.0.0 0.255.255.255 any
 deny ip 86.0.0.0 0.255.255.255 any
 deny ip 87.0.0.0 0.255.255.255 any
 deny ip 88.0.0.0 0.255.255.255 any
 deny ip 89.0.0.0 0.255.255.255 any
 deny ip 90.0.0.0 0.255.255.255 any
 deny ip 91.0.0.0 0.255.255.255 any
 deny ip 92.0.0.0 0.255.255.255 any
 deny ip 93.0.0.0 0.255.255.255 any
 deny ip 94.0.0.0 0.255.255.255 any
 deny ip 95.0.0.0 0.255.255.255 any
 deny ip 96.0.0.0 0.255.255.255 any
 deny ip 97.0.0.0 0.255.255.255 any
 deny ip 98.0.0.0 0.255.255.255 any
 deny ip 99.0.0.0 0.255.255.255 any
 deny ip 100.0.0.0 0.255.255.255 any
 deny ip 101.0.0.0 0.255.255.255 any
 deny ip 102.0.0.0 0.255.255.255 any
 deny ip 103.0.0.0 0.255.255.255 any
 deny ip 104.0.0.0 0.255.255.255 any
 deny ip 105.0.0.0 0.255.255.255 any
 deny ip 106.0.0.0 0.255.255.255 any
 deny ip 107.0.0.0 0.255.255.255 any
 deny ip 108.0.0.0 0.255.255.255 any
 deny ip 109.0.0.0 0.255.255.255 any
 deny ip 110.0.0.0 0.255.255.255 any
 deny ip 111.0.0.0 0.255.255.255 any
 deny ip 112.0.0.0 0.255.255.255 any
 deny ip 113.0.0.0 0.255.255.255 any
 deny ip 114.0.0.0 0.255.255.255 any
 deny ip 115.0.0.0 0.255.255.255 any
 deny ip 116.0.0.0 0.255.255.255 any
 deny ip 117.0.0.0 0.255.255.255 any
 deny ip 118.0.0.0 0.255.255.255 any
 deny ip 119.0.0.0 0.255.255.255 any
 deny ip 120.0.0.0 0.255.255.255 any
 deny ip 121.0.0.0 0.255.255.255 any
 deny ip 122.0.0.0 0.255.255.255 any
 deny ip 123.0.0.0 0.255.255.255 any
 deny ip 124.0.0.0 0.255.255.255 any
 deny ip 125.0.0.0 0.255.255.255 any
 deny ip 126.0.0.0 0.255.255.255 any
 deny ip 197.0.0.0 0.255.255.255 any
 deny ip 201.0.0.0 0.255.255.255 any
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 224.0.0.0 15.255.255.255 any
 deny ip 240.0.0.0 15.255.255.255 any
 deny ip 0.0.0.0 0.255.255.255 any
 deny ip 169.254.0.0 0.0.255.255 any
 deny ip 192.0.2.0 0.0.0.255 any
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip any any log
logging trap debugging
logging facility local2
no cdp run
!
control-plane
!
banner motd ^C
Authorized Access Only
 This system is the property of XXXXXXXXXXXXXXXXX.
 UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged.
^C
!
line con 0
 exec-timeout 5 0
 password 7 NNNNNNNNNNNNNNNNNN
 logging synchronous
 login authentication local_auth
 transport output ssh
line vty 0 4
 password 7 NNNNNNNNNNNNNNNN
 logging synchronous
 login authentication local_auth
 transport preferred ssh
 transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17168539
ntp server 216.136.10.198
ntp server 213.222.11.222
end

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:20:03 EDT