Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
elk
New Contributor
‎05-24-2012 08:16 AM

How to block outside GUI access

Jump to solution

I do have one other question.  I typically use the gui through a web browser to configure the router.  (I like command lines, but just not familiar enough with router commands.)  But I noticed that the router responds with a login prompt regardless of whether I am on the outside or inside of my network.  Is there a way to tell the router that admin/config should only be allowed from the switch side (LAN) and not the eth 0/2 side (WAN)?

Thanks,

Ken

Tags (2)
0 Kudos
Reply
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎06-05-2012 02:15 PM

Re: How to block outside GUI access

Jump to solution

Ken,

Your above post mentioned that you are only wanting to block administrative access from the WAN interface. The easiest way to do this is to create a Security zone. In this Security Zone, you will need to add a "Filter" rule which will block all traffic destined for the IP addresses assigned to the NetVanta. For example, if the WAN interface of the NetVanta had an IP of 1.1.1.1 and the LAN interface had an IP of 2.2.2.2, you would need to add a 'filter' rule that will block traffic destined to 1.1.1.1 and 2.2.2.2. Once those rules have been configured, you will need to add an "Allow" rule that will allow all other traffic through the NetVanta. You would then need to assign this Security Zone to the WAN interface only and then enable the firewall.

It is important that the 'allow' rule is listed at the bottom of the security zone and that the filter rules are placed above the allow rule. This is because traffic is checked against the security zone in a top-down manner, so you will want traffic to check against the more specific rules, in this case the filter rule, before it is checked against the broader rules, in this case, the 'allow' rule. Once traffic is determined to match a rule, then the rest of the list will not be checked.

Let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
Reply
6 Replies
Anonymous
Not applicable
‎05-25-2012 03:20 PM

Re: How to block outside GUI access

Jump to solution

Ken,

I've branched your question to another discussion thread.

By enabling the web GUI on a NetVanta device, you enable it for all interfaces. You can control what traffic is allowed through which interface by enabling the firewall and configuring security zones/policy-classes for each interface.

If you do not have the firewall enabled, then the easiest way to block traffic initiated from the outside is to create an empty policy-class/security zone and assign it to the WAN interface. A security zone/policy-class that contains no rules automatically blocks ALL incoming traffic on the interface it is assigned to. This includes all administrative access attempting to access the router from the outside.

This can be done in the GUI by navigating to Data->Firewall->Security Zones and then creating a new Security Zone. Once you have created one, you can go back to the Security Zones page and assign it to the WAN interface (in your case, this is eth 0/2). You will then need to navigate to the 'Firewall/ACLs' page and enable the firewall.

This can also be done in the CLI with the following commands:

router(config)# ip policy-class Public

router(config-policy-class)# int eth 0/2

router(config-eth 0/2)# ip access-policy Public

router(config-eth 0/2)# exit

router(config)# ip firewall

If you do currently have the firewall enabled, then there are a couple of different ways to go about blocking outside WAN access. If the traffic does not match any of the rules in the Security Zone/policy-class then the traffic will be blocked. It would probably be best if you could post your configuration to this thread so we can provide the best way to go about blocking this access. Please remember to edit any information that may be sensitive to your network.

Let us know if you have any questions.

Thanks,

Noor

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎06-04-2012 12:18 PM

Re: How to block outside GUI access

Jump to solution

Ken -

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks,

Noor

0 Kudos
Accept as Solution Reply
elk
New Contributor
‎06-04-2012 12:34 PM

Re: How to block outside GUI access

Jump to solution

Noor,

My apologies for the delay in responding.  I was buried under another project.  I don't have the firewall enabled because I have a firewall device sitting behind this router.  I don't really want to have to manage two firewalls.  Is there an easy way to configure the firewall on the 3448 to allow all except for administrative interface access?

Thanks,

Ken

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎06-05-2012 02:15 PM

Re: How to block outside GUI access

Jump to solution

Ken,

Your above post mentioned that you are only wanting to block administrative access from the WAN interface. The easiest way to do this is to create a Security zone. In this Security Zone, you will need to add a "Filter" rule which will block all traffic destined for the IP addresses assigned to the NetVanta. For example, if the WAN interface of the NetVanta had an IP of 1.1.1.1 and the LAN interface had an IP of 2.2.2.2, you would need to add a 'filter' rule that will block traffic destined to 1.1.1.1 and 2.2.2.2. Once those rules have been configured, you will need to add an "Allow" rule that will allow all other traffic through the NetVanta. You would then need to assign this Security Zone to the WAN interface only and then enable the firewall.

It is important that the 'allow' rule is listed at the bottom of the security zone and that the filter rules are placed above the allow rule. This is because traffic is checked against the security zone in a top-down manner, so you will want traffic to check against the more specific rules, in this case the filter rule, before it is checked against the broader rules, in this case, the 'allow' rule. Once traffic is determined to match a rule, then the rest of the list will not be checked.

Let us know if you have any questions.

Thanks,

Noor

0 Kudos
Reply
elk
New Contributor
‎06-05-2012 02:28 PM

Re: How to block outside GUI access

Jump to solution

Noor,

Thanks for the reply!  I won't be able to try this out until Thursday evening, but I will reply back then.

Regards,

Ken

0 Kudos
Accept as Solution Reply
elk
New Contributor
‎06-07-2012 05:08 PM

Re: How to block outside GUI access

Jump to solution

Noor,

Sweet!  Works exactly as needed.  I appreciate you taking the time to help a router newbie.  🙂

Regards,

Ken

0 Kudos
Accept as Solution Reply