Minor quibbles/comments, see inline > > 1-We just want that no user traffic should directly go to > router and only > > the traffic that is coming through Proxy Server should > reach the router. > > Router(config)#access-list 1 permit 0.0.0.0 > Router(config)#interface Fast0 > Router(config-if)#ip access-group 1 in > > This would only allow traffic coming from the proxy server to > be allowed > into the router via the FastEthernet... modify as needed.
It should be blatantly obvious (to Cisco people anyway), but make sure you replace the 0.0.0.0 with the address of your proxy server. :) 0.0.0.0 equates to "any host." > > 3- We want to stop Telnet. No ne should be able to telnet > it. We only want > > to configure router through Console Port. > > The easiest way to prevent telnet access to the router is to > simply not > assign a password (or remove an existing password) on the VTY > lines. I see > in your config you have a password on the VTY lines. Remove > it like so: > > Router(config)#line vty 0 4 > Router(config-line)# no password > I agree this is the easiest way to simply disable telnet, but for security purposes, I would instead use another ACL to block - it's better than some random person being able to identify your Cisco router immediately from the "No password" dialog... of course with some additional knowledge of IP and Cisco, one can determine it's a Cisco router, but at least this stops casual users. Plus, with an open port (i.e., Telnet=23), a port scan could perform some OS fingerprinting and other recon on your box. Here's an example... blocked internal LAN access to the telnet as well as outside with this. Router(config)access-list 100 deny any eq telnet Router(config)access-list 100 permit 10.1.1.1 <--- Proxy server ip Router(config-if)#ip access-group 100 in <--- LAN interface Router(config)access-list 101 deny any eq telnet Router(config)access-list 101 permit any any Router(config-if)#ip access-group 101 in <--- WAN interface Simple, but works. Sean Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43467&t=43449 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
