The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
elk
New Contributor

How to block outside GUI access

Jump to solution

I do have one other question.  I typically use the gui through a web browser to configure the router.  (I like command lines, but just not familiar enough with router commands.)  But I noticed that the router responds with a login prompt regardless of whether I am on the outside or inside of my network.  Is there a way to tell the router that admin/config should only be allowed from the switch side (LAN) and not the eth 0/2 side (WAN)?

Thanks,

Ken

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: How to block outside GUI access

Jump to solution

Ken,

Your above post mentioned that you are only wanting to block administrative access from the WAN interface. The easiest way to do this is to create a Security zone. In this Security Zone, you will need to add a "Filter" rule which will block all traffic destined for the IP addresses assigned to the NetVanta. For example, if the WAN interface of the NetVanta had an IP of 1.1.1.1 and the LAN interface had an IP of 2.2.2.2, you would need to add a 'filter' rule that will block traffic destined to 1.1.1.1 and 2.2.2.2. Once those rules have been configured, you will need to add an "Allow" rule that will allow all other traffic through the NetVanta. You would then need to assign this Security Zone to the WAN interface only and then enable the firewall.

It is important that the 'allow' rule is listed at the bottom of the security zone and that the filter rules are placed above the allow rule. This is because traffic is checked against the security zone in a top-down manner, so you will want traffic to check against the more specific rules, in this case the filter rule, before it is checked against the broader rules, in this case, the 'allow' rule. Once traffic is determined to match a rule, then the rest of the list will not be checked.

Let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
6 Replies
Anonymous
Not applicable

Re: How to block outside GUI access

Jump to solution

Ken,

I've branched your question to another discussion thread.

By enabling the web GUI on a NetVanta device, you enable it for all interfaces. You can control what traffic is allowed through which interface by enabling the firewall and configuring security zones/policy-classes for each interface.

If you do not have the firewall enabled, then the easiest way to block traffic initiated from the outside is to create an empty policy-class/security zone and assign it to the WAN interface. A security zone/policy-class that contains no rules automatically blocks ALL incoming traffic on the interface it is assigned to. This includes all administrative access attempting to access the router from the outside.

This can be done in the GUI by navigating to Data->Firewall->Security Zones and then creating a new Security Zone. Once you have created one, you can go back to the Security Zones page and assign it to the WAN interface (in your case, this is eth 0/2). You will then need to navigate to the 'Firewall/ACLs' page and enable the firewall.

This can also be done in the CLI with the following commands:

router(config)# ip policy-class Public

router(config-policy-class)# int eth 0/2

router(config-eth 0/2)# ip access-policy Public

router(config-eth 0/2)# exit

router(config)# ip firewall

If you do currently have the firewall enabled, then there are a couple of different ways to go about blocking outside WAN access. If the traffic does not match any of the rules in the Security Zone/policy-class then the traffic will be blocked. It would probably be best if you could post your configuration to this thread so we can provide the best way to go about blocking this access. Please remember to edit any information that may be sensitive to your network.

Let us know if you have any questions.

Thanks,

Noor

Anonymous
Not applicable

Re: How to block outside GUI access

Jump to solution

Ken -

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks,

Noor

elk
New Contributor

Re: How to block outside GUI access

Jump to solution

Noor,

My apologies for the delay in responding.  I was buried under another project.  I don't have the firewall enabled because I have a firewall device sitting behind this router.  I don't really want to have to manage two firewalls.  Is there an easy way to configure the firewall on the 3448 to allow all except for administrative interface access?

Thanks,

Ken

Anonymous
Not applicable

Re: How to block outside GUI access

Jump to solution

Ken,

Your above post mentioned that you are only wanting to block administrative access from the WAN interface. The easiest way to do this is to create a Security zone. In this Security Zone, you will need to add a "Filter" rule which will block all traffic destined for the IP addresses assigned to the NetVanta. For example, if the WAN interface of the NetVanta had an IP of 1.1.1.1 and the LAN interface had an IP of 2.2.2.2, you would need to add a 'filter' rule that will block traffic destined to 1.1.1.1 and 2.2.2.2. Once those rules have been configured, you will need to add an "Allow" rule that will allow all other traffic through the NetVanta. You would then need to assign this Security Zone to the WAN interface only and then enable the firewall.

It is important that the 'allow' rule is listed at the bottom of the security zone and that the filter rules are placed above the allow rule. This is because traffic is checked against the security zone in a top-down manner, so you will want traffic to check against the more specific rules, in this case the filter rule, before it is checked against the broader rules, in this case, the 'allow' rule. Once traffic is determined to match a rule, then the rest of the list will not be checked.

Let us know if you have any questions.

Thanks,

Noor

0 Kudos
elk
New Contributor

Re: How to block outside GUI access

Jump to solution

Noor,

Thanks for the reply!  I won't be able to try this out until Thursday evening, but I will reply back then.

Regards,

Ken

elk
New Contributor

Re: How to block outside GUI access

Jump to solution

Noor,

Sweet!  Works exactly as needed.  I appreciate you taking the time to help a router newbie.  🙂

Regards,

Ken