How to automatic secure your router using auto secure feature


This article is all about how to automatic secure your router using the auto secure feature in it. In this tutorial, we learn about how to secure your router even without having basic knowledge of the router security. By using the auto secure feature we can secure a router even without knowing how to configure telnet or how to enable password on routers. This auto secure feature is also a very useful feature for newcomers who don’t have an idea about how to configure your router securely and you can easily provide security to your router.

In general, if you want to secure a router easily then you need to read the whole book on the router just to secure your router easily. But if you don’t want to read a whole book on the router and simply secure a router with ease then this auto secure feature is very useful for you. Cisco introduces the auto secure feature to quickly harden router configuration files in an automated fashion. This is a quick and simple way to secure a router without having basic knowledge about routers. So, let’s start here how to configure a router using the auto secure feature.

Also Read: How to configure a backup route on Cisco routers

Now to understand this whole process with ease we take a lab in cisco packet tracer. In this lab, we take one router and one PC to configure it with the auto secure feature.

secure your router using auto secure feature

We do this whole lab in two parts. In the first part, we assign IP address on the interface of the router and in the second part we use the auto secure feature on the router. once we enter the auto secure command, the router will lead you through a series of questions so it can best determine how to secure the router for your environment.

Now to assign IP address to the router we use given below command and we also set a hostname on the router

— System Configuration Dialog —

Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up



Now to secure your router using the auto secure feature use given below command

R1#auto secure

— AutoSecure Configuration —

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to for

Autosecure documentation.

At any prompt you may enter ‘?’ for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:

Securing Management plane services…

Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol

Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp

Here is a sample Security Banner to be shown

at every access to device. Modify it to suit your

enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise.


You must have explicit permission to access this

device. All activities performed on this device

are logged. Any violations of access policy will result

in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:This is rahul meena department

Enable secret is either not configured or

is the same as enable password

Enter the new enable secret: rahultechnohelper24

Confirm the enable secret: rahultechnohelper24

Enter the new enable password: rahul

Confirm the enable password: rahul

Configuration of local user database

Enter the username: technohelper24

Enter the password: technohelper24

Confirm the password: technohelper24

Configuring AAA local authentication

Configuring Console, Aux and VTY lines for

local authentication, exec-timeout, and transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected:

Device not secured against ‘login attacks’.

Configure SSH server? [yes]: yes

Enter the hostname:

Enter the domain-name:

Disabling mop on Ethernet interfaces

Securing Forwarding plane services…

Enabling CEF (This might impact the memory requirements for your platform)

Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:


service password-encryption

no cdp run

access-list 100 permit udp any any eq bootpc

banner motd this is rahul meena

enable secret 5 $1$mERr$aBzlEUHffjaGJAwerYNsc.

enable secret 5 $1$mERr$N/s.6pVZyizB6FiyspghR/

enable password 7 08334D461C15

username technohelper24 password 7 0835494D01170A1F17071C01387970

aaa new-model

aaa authentication login local_auth local

line con 0

login authentication local_auth

exec-timeout 5 0

transport output telnet

line vty 0 4

login authentication local_auth

transport input telnet

service timestamps debug datetime msec

service timestamps log datetime msec

logging trap debugging

logging console

logging buffered

line vty 0 4

transport input ssh

transport input telnet


ip domain-name

ip access-list extended 100

permit udp any any eq bootpc

ip inspect audit-trail

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect udp idle-time 1800

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip access-list extended autosec_firewall_acl

permit udp any any eq bootpc

deny ip any any

Apply this configuration to running-config? [yes]:

Applying the config generated to running-config

The name for the keys will be: test.test

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable…

*Mar 1 22:56:41.001: %SYS-3-CPUHOG: Task is running for (2007)msecs, more than

(2000)msecs (0/0),process = crypto sw pk proc.

-Traceback= 0x824198E0 0x82419FC4 0x8283C238 0x82866AD8 0x828667A8 0x82865D34 0x

828660F4 0x82866510 0x802335D4 0x80236D80 [OK]

                                           THAT’S IT

This is the whole process for secure your router without having basic knowledge about routers. If you have any queries regarding this feel free to ask through the comment section and also provide feedback using the comment section because your feedback is valuable to us.

Your thoughts?

This site uses Akismet to reduce spam. Learn how your comment data is processed.