Looking for some feedback to make sure what I am doing will accomplish what I need it to without causing undesirable behavior. Admittedly I've lost a lot of my network/cisco skills over the years as my job roles took me more into sys admin than networking; Hoping to just get a "sanity check" before I do anything.
Long story short, our vulnerability scanner tagged our new router for listening on port 22 (even though SSH is disabled) and responding to ICMP timestamp requests. To fix this, I've come up with the below ACL I intend to apply to the interface where these are being detected.
access-list 100 deny icmp any any timestamp-request access-list 100 deny icmp any any timestamp-reply access-list 100 deny tcp any any eq 22 access-list 100 permit ip any any int g0/0/0 ip access-group 100 in
Does this make sense? Am I missing something obvious here? The plan is to first issue a reload in 30 before making any changes just in case it causes issues. Only after a successful implementation would I commit the changes to the startup config. Ideally, I won't have to rely on the reload but being risk-averse I tend to have some CYA.
If there's a better way to do what I need to do, I am all ears. For context, the router is an ISR4451 running Cisco IOS XE 16.06.04.
No comments:
Post a Comment