IN/OUT TRAFFIC5.6 Since you're using a Cisco ASR router, and it’s accessible publicly via its WAN interface with IP 164.120.228.211, you should restrict access to management services (like SSH, Telnet, HTTP/HTTPS) from the internet. Here’s how to secure your Cisco ASR router:
Step-by-Step: Block Public Access to Router on Cisco ASR
# Step 1: Restrict VTY (SSH/Telnet) Access with ACL - Create an access list that only permits trusted IPs, like your internal admin workstation or jump server.
! Create an ACL that permits only specific IPsRouter(config)# ip access-list standard ADMIN_ONLY
Router(config-stn-nacl)# permit 192.168.1.100 ! Trusted admin IP
deny any
Apply it to VTY lines:
Router(config)# line vty 0 4
Router(config)# access-class ADMIN_ONLY in
Router(config)# transport input ssh
Router(config)# end
Result: This blocks SSH access from the internet except from 192.168.1.100
# Step 2: Disable HTTP/HTTPS Access (if not used)
Router(config)# no ip http serverRouter(config)# no ip http secure-server
Note: If you need HTTPS access from internal IPs, apply an access-class instead
Step 3: Create an Access Control List to Block Inbound Management!
Router(config)# ip access-list extended BLOCK_MANAGEMENTRouter(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 22 ! SSH
Router(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 23 ! Telnet
Router(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 80 ! HTTP
Router(config-ext-nacl)# deny tcp any host 11.120.228.211 eq 443 ! HTTPS
Router(config-ext-nacl)# permit ip any any ! Allow all else (careful with this)
Apply the ACL inbound on the WAN interface:
Router(config)# interface GigabitEthernet0/0/0
Router(config)# ip access-group BLOCK_MANAGEMENT in
Router(config)# ip route 0.0.0.0 0.0.0.0 11.120.228.210
Step 4: (Optional) Use control-plane Policing (CoPP) - For advanced security, limit control-plane traffic using CoPP
Router(config)# class-map match-any MGMTRouter(config-class)# match access-group name ADMIN_ONLY
Router(config-class)# exit
!
Router(config)# policy-map CONTROL_PLANE
Router(config-policy)# class MGMT
Router(config-policy)# police 32000 1500 ! conform-action transmit exceed-action drop
Router(config-class)# exit
!
Router(config)# control-plane
Router(config-class)# service-policy input CONTROL_PLANE
Router(config-class)# exit
# Confirm It's Working - From an external network (not in the permitted IP range):
:Try SSH: ssh admin@202.170.202.34
:Port scan: nmap -Pn 202.170.202.34
#Summary: Action with command
Restrict VTY : access-class on line vtyDisable HTTP/S : no ip http server
Block management from WAN : ip access-list + ip access-group in
Secure control plane : Use CoPP (optional but good for DDoS mitigation)
: STANDARD ACLs
Standard ACLs are the oldest type of ACL. They date back to as early as Cisco IOS Software Release 8.3. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.This is the command syntax format of a standard ACL, as per mentioned below.
access-list
: EXTENDED ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.This is the command syntax format of extended ACLs. Lines are wrapped here for space considerations.
# It is used to permit or deny traffic based on source, destination, protocol, and conditions from numbered Extended IP ACL
1️⃣ access-list access-list-number
Define: ACL ID number
Example: access-list 110 ...
2️⃣ [dynamic dynamic-name [timeout minutes]] (Lock-and-Key ACL)
Define: Creates temporary dynamic entry after user authentication (Telnet/SSH) is allowed for 10 minutes.
Example: access-list 110 dynamic ADMIN timeout 10 permit tcp any any eq 22
3️⃣ {deny | permit}
Define: Action to block or allow traffic.
Example: deny or permit
4️⃣ protocol source source-wildcard destination destination-wildcard [precedence precedence]
Define: IP protocol to match the Source and destination IP with wildcard mask along Matches IP Precedence bits (QoS marking in IP header), value 0 - 7
Example: access-list 110 permit ip 10.10.0.0 0.0.255.255 172.16.0.0 0.0.255.255 precedence 5
| IP | Wild Card | Meaning |
|---|---|---|
| 192.168.1.0 | 0.0.0.255 | Entire subnet |
| 10.1.1.5 | 0.0.0.0 | Single host |
| any | ------- | All |
5️⃣ [tos tos]
Define: In IPv4, there is an 8-bit field in the IP header historically called ToS. It indicates service preference for the packet (legacy QoS signaling).
Example: access-list 110 permit ip any any tos 16
"This was typically used for voice / interactive traffic"
| ToS value | Meaning (legacy intent) |
|---|---|
| 0 16 8 4 2 | Normal service Minimize delay Maximize throughput Maximize reliability Minimize cost |
6️⃣ [log|log-input]
Define: tell the router/switch to generate a log message whenever a packet matches that ACL line. log → basic packet info & log-input → packet info + interface + MAC
Example-01: access-list 110 deny tcp any any eq 23 log
Sample log : %SEC-6-IPACCESSLOGP: list 110 denied tcp 10.1.1.5(3456) -> 172.16.1.10(23), 1 packet
Example-02: access-list 110 deny tcp any any eq 23 log-input
Sample log : %SEC-6-IPACCESSLOGP: list 110 denied tcp 10.1.1.5(3456) -> 172.16.1.10(23), input interface Gi0/1, MAC 0011.2233.4455
7️⃣ [time-range time-range-name]
Define: The ACL rule will match traffic only when the router’s clock is within the defined time range. Outside that time, this ACL line is ignored.
Example-01: time-range OFFICE
periodic weekdays 9:00 to 18:00
access-list 110 permit tcp 192.168.1.0 0.0.0.255 host 172.16.10.10 eq 22 time-range OFFICE
Example-02: time-range PATCH
absolute 02:00 10 April 2026 to 04:00 10 April 2026
access-list 110 permit ip any any time-range PATCH
