Security in access router

Security in access router

Post by Morten B. Hans » Tue, 28 Nov 1995 04:00:00



How can I restrict dial-in on the Cisco 2511/09 access router to just
PPP and CHAP. I have discovered that a normal TTY connection gives me the
prompt on the access router like Access-01> and from this point can get access
further out in the network.

I would consider this as a lack of security.

Regards
**************************************************************************
Morten B. Hansen                          

DDI Communications A/S  
Metalgangen 9-11a            
DK-2690 Karlslunde
DENMARK                        



Phone  : +45 46 15 44 11        
Fax    : +45 46 15 57 57
******************************************************************************

 
 
 

Security in access router

Post by dmad.. » Tue, 28 Nov 1995 04:00:00


        I think that if you simply add under the async line the following:

        async mode dedicated

        This will dedicate the line to SLIP/PPP and you will not get a user
        prompt.

> How can I restrict dial-in on the Cisco 2511/09 access router to just
> PPP and CHAP. I have discovered that a normal TTY connection gives me the
> prompt on the access router like Access-01> and from this point can get access
> further out in the network.

> I would consider this as a lack of security.

> Regards
> **************************************************************************
> Morten B. Hansen                          

> DDI Communications A/S  
> Metalgangen 9-11a            
> DK-2690 Karlslunde
> DENMARK                        



> Phone  : +45 46 15 44 11        
> Fax    : +45 46 15 57 57
> ******************************************************************************

--
David Madland
Network Engineer
U S West !nterprise

612-663-8215

 
 
 

Security in access router

Post by Chris Labatt-Simon - D&D Consultin » Tue, 28 Nov 1995 04:00:00



Quote:> How can I restrict dial-in on the Cisco 2511/09 access router to just
> PPP and CHAP. I have discovered that a normal TTY connection gives me the
> prompt on the access router like Access-01> and from this point can get access
> further out in the network.

At the simplest level, you could put an "autocommand ppp" on the line.
This will ensure that users will never get an EXEC prompt when they
dial or telnet in.  At a higher level, you can use access-lists or
TACACS+ to restrict where users go or what commands users execute when
they are at the EXEC prompt.

Chris

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

D & D Consulting                              CIS: 73542,2601
100 State Street                            PHONE: (518) 462-0900  
Albany, NY  12207                             FAX: (518) 432-1829
Subscribe to the Lotus Notes Mailing List (LNOTES-L) - mail for info..

INTERNET/UNIX/SECURITY/LAN/WAN SPECIALISTS AND MORE ALL UNDER ONE ROOF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 
 
 

Security in access router

Post by Dennis Pen » Tue, 28 Nov 1995 04:00:00


Hi,

Configure your async interfaces like this:

interface async1
ip unnum e0
encap ppp
async mode dedicated
ip tcp header passive
ppp authen chap

Dennis

> How can I restrict dial-in on the Cisco 2511/09 access router to just
> PPP and CHAP. I have discovered that a normal TTY connection gives me the
> prompt on the access router like Access-01> and from this point can get access
> further out in the network.

> I would consider this as a lack of security.

> Regards
> **************************************************************************
> Morten B. Hansen                          

> DDI Communications A/S  
> Metalgangen 9-11a            
> DK-2690 Karlslunde
> DENMARK                        



> Phone  : +45 46 15 44 11        
> Fax    : +45 46 15 57 57
> ******************************************************************************

-------------------------------------------------------------------------
      ||        ||                                 Dennis Peng
      ||        ||        Cisco Systems, Inc.      Customer Engineer
     ||||      ||||       170 West Tasman Drive    Phone: (408) 526-6143
 ..:||||||:..:||||||:..   San Jose, CA 95134       Fax:   (408) 526-8787

-------------------------------------------------------------------------
 
 
 

1. Accessing higher security level from higher security level

I'm a newbie and and setting up a pix firewall and i need to access
higher security level from a lower security level. Ideally just need to
be able use terminal services. This is what the configuration is. I
need to user terminal services from tmx-dmz to get access to singlemom.
 This is just the relevant stuff below for this network

nameif ethernet0 outside security0
nameif ethernet1 singlemom security98
nameif ethernet2 failover security97
nameif ethernet3 intdmz security80
nameif ethernet4 dmz1 security40
nameif ethernet5 tmx-dmz security90

access-list acl_nonat permit ip 10.0.0.0 255.0.0.0 10.100.1.0
255.255.255.0
access-list acl_nonat permit ip TMX-DMZ 255.255.0.0 INTDMZ 255.255.0.0
access-list acl_nonat permit ip TMX-DMZ 255.255.0.0 NET0_DMZ1
255.255.0.0
access-list acl_out permit tcp any host 198.x.x.xeq smtp
access-list acl_out permit tcp any host 198.x.x.xeq pop3
access-list acl_out permit tcp any host 198.x.x.x eq 5900
access-list acl_out permit tcp any host 198.x.x.x eq 5500
access-list acl_out permit tcp any host 198.x.x.x eq 3389
access-list singlemom_in line 2 permit ip any any
access-list singlemom_in line 3 permit icmp any any
access-list singlemom_in line 4 permit tcp any any eq 3389

global (outside) 1001 198.87.36.128-198.87.36.199
global (outside) 1100 198.87.36.201-198.87.36.210
global (outside) 1101 198.87.36.100-198.87.36.120
global (outside) 1100 198.87.36.200
global (outside) 1011 198.87.36.124
global (singlemom) 1011 10.50.0.20-10.50.0.250 netmask 255.255.0.0
global (singlemom) 1011 10.50.0.5-10.50.0.254 netmask 255.255.0.0
global (dmz1) 1001 10.150.100.0-10.150.100.250 netmask 255.255.0.0
global (dmz1) 1100 10.150.110.0-10.150.110.250 netmask 255.255.255.0
global (tmx-dmz) 1101 10.10.0.2-10.10.0.250 netmask 255.255.0.0
nat (singlemom) 0 access-list acl_nonat
nat (singlemom) 1011 singlemom 255.255.0.0 dns 0 0
nat (intdmz) 0 access-list acl_nonat
nat (intdmz) 1100 INTDMZ 255.255.0.0 dns 0 0
nat (dmz1) 0 access-list acl_nonat
nat (tmx-dmz) 0 access-list acl_nonat
nat (tmx-dmz) 1101 TMX-DMZ 255.255.0.0 0 0

static (singlemom,outside) 198.x.x.x 10.50.0.10 dns netmask
255.255.255.255 1000 100
static (singlemom,tmx-dmz) singlemom singlemom netmask 255.255.0.0 0 0
access-group acl_out in interface outside
access-group email_in in interface dmz1
access-group singlemom_in interface singlemom

Any help would be appreciated!

Regards,
Nick

2. Advantis loses mails

3. Access Registrar - writing 'C' plug-ins ?

4. Need OCR for IBM PC

5. Cisco 2509 Access Router Security questions

6. ISDN vs StarBand Satalite (2way)

7. How to access router security information using SNMP

8. Purveyor runs VMS Perl!

9. How to access router security information programmatically

10. INS Cisco Router Config Standard v0.9 (Plain text)

11. INS Cisco router configuration standard (DRAFT)

12. INS Cisco router configuration standard doc ver 0.6

13. Security Security Security