6 Replies Latest reply on Jun 7, 2012 3:08 PM by elk Branched from an earlier discussion.

    How to block outside GUI access

    elk New Member

      I do have one other question.  I typically use the gui through a web browser to configure the router.  (I like command lines, but just not familiar enough with router commands.)  But I noticed that the router responds with a login prompt regardless of whether I am on the outside or inside of my network.  Is there a way to tell the router that admin/config should only be allowed from the switch side (LAN) and not the eth 0/2 side (WAN)?

      Thanks,

      Ken

        • Re: How to block outside GUI access
          Employee

          Ken,

           

          I've branched your question to another discussion thread.

           

          By enabling the web GUI on a NetVanta device, you enable it for all interfaces. You can control what traffic is allowed through which interface by enabling the firewall and configuring security zones/policy-classes for each interface.

           

          If you do not have the firewall enabled, then the easiest way to block traffic initiated from the outside is to create an empty policy-class/security zone and assign it to the WAN interface. A security zone/policy-class that contains no rules automatically blocks ALL incoming traffic on the interface it is assigned to. This includes all administrative access attempting to access the router from the outside.

           

          This can be done in the GUI by navigating to Data->Firewall->Security Zones and then creating a new Security Zone. Once you have created one, you can go back to the Security Zones page and assign it to the WAN interface (in your case, this is eth 0/2). You will then need to navigate to the 'Firewall/ACLs' page and enable the firewall.

           

          This can also be done in the CLI with the following commands:

           

          router(config)# ip policy-class Public

          router(config-policy-class)# int eth 0/2

          router(config-eth 0/2)# ip access-policy Public

          router(config-eth 0/2)# exit

          router(config)# ip firewall

           

          If you do currently have the firewall enabled, then there are a couple of different ways to go about blocking outside WAN access. If the traffic does not match any of the rules in the Security Zone/policy-class then the traffic will be blocked. It would probably be best if you could post your configuration to this thread so we can provide the best way to go about blocking this access. Please remember to edit any information that may be sensitive to your network.

           

          Let us know if you have any questions.

           

          Thanks,

          Noor

            • Re: How to block outside GUI access
              Employee

              Ken -

              I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

               

              Thanks,

              Noor

              • Re: How to block outside GUI access
                elk New Member

                Noor,

                My apologies for the delay in responding.  I was buried under another project.  I don't have the firewall enabled because I have a firewall device sitting behind this router.  I don't really want to have to manage two firewalls.  Is there an easy way to configure the firewall on the 3448 to allow all except for administrative interface access?

                Thanks,

                Ken

                  • Re: How to block outside GUI access
                    Employee

                    Ken,

                     

                    Your above post mentioned that you are only wanting to block administrative access from the WAN interface. The easiest way to do this is to create a Security zone. In this Security Zone, you will need to add a "Filter" rule which will block all traffic destined for the IP addresses assigned to the NetVanta. For example, if the WAN interface of the NetVanta had an IP of 1.1.1.1 and the LAN interface had an IP of 2.2.2.2, you would need to add a 'filter' rule that will block traffic destined to 1.1.1.1 and 2.2.2.2. Once those rules have been configured, you will need to add an "Allow" rule that will allow all other traffic through the NetVanta. You would then need to assign this Security Zone to the WAN interface only and then enable the firewall.

                     

                    It is important that the 'allow' rule is listed at the bottom of the security zone and that the filter rules are placed above the allow rule. This is because traffic is checked against the security zone in a top-down manner, so you will want traffic to check against the more specific rules, in this case the filter rule, before it is checked against the broader rules, in this case, the 'allow' rule. Once traffic is determined to match a rule, then the rest of the list will not be checked.

                     

                    Let us know if you have any questions.

                     

                    Thanks,

                    Noor