Please note that depending on the version of the IOS you use, because Cisco engineers add new security features, the available auto secure options may slightly differ from those presented here.
c2600#auto secure ? forwarding Secure Forwarding Plane management Secure Management Plane no-interact Non-interactive session of AutoSecure <cr> c2600#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. If this device is being managed by a network management station, AutoSecure configuration may block network management traffic. Continue with AutoSecure? [no]: yes Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes Enter the number of interfaces facing internet [1]: Interface IP-Address OK? Method Status Protocol Ethernet0/0 192.168.66.202 YES NVRAM up up Serial0/0 192.168.30.202 YES NVRAM up up Ethernet0/1 192.168.40.202 YES NVRAM up up Serial0/1 unassigned YES NVRAM administratively down down Loopback0 192.168.254.254 YES NVRAM up up Enter the interface name that is facing internet: Ethernet0/1 Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Is SNMP used to manage the router? [yes/no]: yes Deleting the commonly used community public for security Deleting the commonly used community private for security SNMPv1 & SNMPv2c are unsecure, try to use SNMPv3 Configure NTP Authentication? [yes]: yes Enter the trust-key number [1]: Enter the authentication key: secretkey Enter the ACL for all NTP services [1]: Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of this policy result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: kUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of this policy result in disciplinary action.k Enable password is not configured or its length is less than minimum no. of characters configured Enter the new enable password:<no prompt of the entered password shown> Confirm the enable password:<no prompt of the entered password shown> Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Configure SSH server? [yes]: yes Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Securing Forwarding plane services.. Enabling CEF (it might have more memory requirements on some low end platforms) Configuring the named acls for Ingress filtering autosec_iana_reserved_block: This block may be subject to change by iana and for updated list visit www.iana.org/assignments/ipv4-address-space. 1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8, 41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8, 103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 197/8, 201/8 autosec_private_block: 10/8, 172.16/12, 192.168/16 autosec_complete_block: This is union of above two and the addresses of source multicast, class E addresses and addresses that are prohibited for use as source. source multicast (224/4), class E(240/4), 0/8, 169.254/16, 192.0.2/24, 127/8. Configuring Ingress filtering replaces the existing acl on external interfaces, if any, with ingress filtering acl. Configure Ingress filtering on edge interfaces? [yes]: yes [1] Apply autosec_iana_reserved_block acl on all edge interfaces [2] Apply autosec_private_block acl on all edge interfaces [3] Apply autosec_complete_bogon acl on all edge interfaces Enter your selection [3]: 3 Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no snmp-server community public no snmp-server community private ntp trusted-key 1 ntp authentication-key 1 md5 secretkey ntp authenticate ntp server 192.168.XXX.XXX key 1 prefer ntp access-group peer 1 banner kUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of this policy result in disciplinary action.k security passwords min-length 6 security authentication failure rate 10 log enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX aaa new-model aaa authentication login local_auth local line console 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timezone msec logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered int Ethernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply int Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply int Ethernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply int Serial0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef ip access-list extended autosec_iana_reserved_block deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list exit ip access-list extended autosec_private_block deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any exit ip access-list extended autosec_complete_bogon deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list exit interface Ethernet0/1 ip access-group autosec_complete_bogon in exit ip access-list extended 100 permit udp any any eq bootpc interface Ethernet0/1 ip verify unicast source reachable-via rx allow-default 100 ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list exit interface Ethernet0/1 ip access-group autosec_complete_bogon in exit ip access-list extended 100 permit udp any any eq bootpc interface Ethernet0/1 ip verify unicast source reachable-via rx allow-default 100 ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface Ethernet0/1 ip inspect autosec_inspect out ! end Apply this configuration to running-config? [yes]:yes Applying the config generated to running-config The name for the keys will be:c2600.testing.arhont.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys ...[OK] c2600#