C871 Access from WAN-Side (internet)?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi Again,

I have a little issue with my C871 box. I would like to access the routers
management console through ssh & https (SDM) from the Internet.
At the moment this does not work. I am able to ping the device but I am not
able to access the box through ssh or https although I opened the FW on the
Box.

Maybe somebody can check my config? Here we go:



Building configuration...

Current configuration : 13029 bytes
!
! Last configuration change at 21:39:52 Berlin Mon Nov 5 2007 by root
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 0000000000000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name abc.de
ip name-server 194.8.194.70
ip name-server 194.8.194.60
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method dyndns
 HTTP
  add
http://xxxx:xxxx@members.dyndns.org/nic/update?system=dyndns&hostname=xxxx.homeip.net&myip=<a>
 interval maximum 0 12 0 0
 interval minimum 0 12 0 0
!
!
!
crypto pki trustpoint TP-self-signed-00000000000
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-0000000000
 revocation-check none
 rsakeypair TP-self-signed-465119209
!
!
crypto pki certificate chain TP-self-signed-000000
 certificate self-signed 01

  quit
!
!
username root privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxx/
!
!
class-map type inspect match-any ECHO
 match protocol icmp
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1
 match access-group name USENET
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any SSH
 match protocol ssh
class-map type inspect match-any SSL
 match protocol https
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
class-map type inspect match-all sdm-cls-sdm-permit-3
 match class-map SSL
 match access-group name SSL
class-map type inspect match-all sdm-cls-sdm-permit-2
 match class-map ECHO
 match access-group name ECHO
class-map type inspect match-any ICMPEchoReply
 match protocol icmp
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map ICMPEchoReply
 match access-group name ICMPEchoReply
class-map type inspect match-all sdm-cls-sdm-permit-4
 match class-map SSH
 match access-group name SSH
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class class-default
policy-map type inspect sdm-permit
 class type inspect sdm-cls-sdm-permit-4
  pass
 class type inspect sdm-cls-sdm-permit-3
  pass
 class type inspect sdm-access
  inspect
 class type inspect sdm-cls-sdm-permit-2
  inspect
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip ddns update hostname xxxx.homeip.net
 ip ddns update dyndns
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xx@nxx.xx
 ppp chap password 7 000000000000
 ppp pap sent-username xx@nxx.xx password 7 0000000000
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.0.1
!
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended ECHO
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended HTTPS_MANAGEMENT
 remark SDM_ACL Category=1
 permit udp host 194.8.194.60 eq domain any
 permit udp host 194.8.194.70 eq domain any
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 permit udp host 80.67.17.101 eq ntp any eq ntp
 remark Auto generated by SDM for NTP (123) 192.53.103.103
 permit udp host 192.53.103.103 eq ntp any eq ntp
 permit tcp any any eq 443 log
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 remark Auto generated by SDM for NTP (123) 192.53.103.103
ip access-list extended ICMPEchoReply
 remark SDM_ACL Category=128
 permit ip any any
 remark SDM_ACL Category=128
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 permit udp host 80.67.17.101 eq ntp any eq ntp
 remark Auto generated by SDM for NTP (123) 192.53.103.103
 permit udp host 192.53.103.103 eq ntp any eq ntp
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit tcp any any
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 remark Auto generated by SDM for NTP (123) 192.53.103.103
ip access-list extended SSH
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended SSL
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended USENET
 remark SDM_ACL Category=128
 permit ip any any
 remark SDM_ACL Category=128
 remark SDM_ACL Category=128
 remark SDM_ACL Category=128
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 101 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny   ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny   ip any any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq www any
access-list 105 permit udp host 194.8.194.60 eq domain any
access-list 105 permit udp host 194.8.194.70 eq domain any
access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntp
access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntp
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq 22
access-list 105 permit tcp any any eq cmd
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
access-list 106 remark VTY Access-class list
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.0.0 0.0.0.255 any
access-list 106 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CThis is a secure System! No unauthorized access!^C
!
line con 0
 password 7 00000000000000
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 23 in
 password 7 0000000000000
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17174758
ntp source Dialer0
ntp server 192.53.103.103 source Dialer0 prefer
ntp server 80.67.17.101
end

thanx...andy




C871 Remote access
Hi Again,

I have a little issue with my C871 box. I would like to access the routers
management console through ssh & https (SDM) from the Internet.
At the moment this does not work. I am able to ping the device but I am not
able to access the box through ssh or https although I opened the FW on the
Box.

Maybe somebody can check my config? Here we go:


Building configuration...

Current configuration : 13029 bytes
!
! Last configuration change at 21:39:52 Berlin Mon Nov 5 2007 by root
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 0000000000000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name abc.de
ip name-server 194.8.194.70
ip name-server 194.8.194.60
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method dyndns
 HTTP
  add
http://xxxx:xxxx@members.dyndns.org/nic/update?system=dyndns&hostname=xxxx.homeip.net&myip=<a>
 interval maximum 0 12 0 0
 interval minimum 0 12 0 0
!
!
!
crypto pki trustpoint TP-self-signed-00000000000
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-0000000000
 revocation-check none
 rsakeypair TP-self-signed-465119209
!
!
crypto pki certificate chain TP-self-signed-000000
 certificate self-signed 01

  quit
!
!
username root privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxx/
!
!
class-map type inspect match-any ECHO
 match protocol icmp
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1
 match access-group name USENET
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any SSH
 match protocol ssh
class-map type inspect match-any SSL
 match protocol https
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
class-map type inspect match-all sdm-cls-sdm-permit-3
 match class-map SSL
 match access-group name SSL
class-map type inspect match-all sdm-cls-sdm-permit-2
 match class-map ECHO
 match access-group name ECHO
class-map type inspect match-any ICMPEchoReply
 match protocol icmp
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map ICMPEchoReply
 match access-group name ICMPEchoReply
class-map type inspect match-all sdm-cls-sdm-permit-4
 match class-map SSH
 match access-group name SSH
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class class-default
policy-map type inspect sdm-permit
 class type inspect sdm-cls-sdm-permit-4
  pass
 class type inspect sdm-cls-sdm-permit-3
  pass
 class type inspect sdm-access
  inspect
 class type inspect sdm-cls-sdm-permit-2
  inspect
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip ddns update hostname xxxx.homeip.net
 ip ddns update dyndns
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xx@nxx.xx
 ppp chap password 7 000000000000
 ppp pap sent-username xx@nxx.xx password 7 0000000000
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.0.1
!
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended ECHO
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended HTTPS_MANAGEMENT
 remark SDM_ACL Category=1
 permit udp host 194.8.194.60 eq domain any
 permit udp host 194.8.194.70 eq domain any
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 permit udp host 80.67.17.101 eq ntp any eq ntp
 remark Auto generated by SDM for NTP (123) 192.53.103.103
 permit udp host 192.53.103.103 eq ntp any eq ntp
 permit tcp any any eq 443 log
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 remark Auto generated by SDM for NTP (123) 192.53.103.103
ip access-list extended ICMPEchoReply
 remark SDM_ACL Category=128
 permit ip any any
 remark SDM_ACL Category=128
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 permit udp host 80.67.17.101 eq ntp any eq ntp
 remark Auto generated by SDM for NTP (123) 192.53.103.103
 permit udp host 192.53.103.103 eq ntp any eq ntp
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit tcp any any
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 remark Auto generated by SDM for NTP (123) 192.53.103.103
ip access-list extended SSH
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended SSL
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended USENET
 remark SDM_ACL Category=128
 permit ip any any
 remark SDM_ACL Category=128
 remark SDM_ACL Category=128
 remark SDM_ACL Category=128
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 101 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny   ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny   ip any any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq www any
access-list 105 permit udp host 194.8.194.60 eq domain any
access-list 105 permit udp host 194.8.194.70 eq domain any
access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntp
access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntp
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq 22
access-list 105 permit tcp any any eq cmd
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
access-list 106 remark VTY Access-class list
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.0.0 0.0.0.255 any
access-list 106 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CThis is a secure System! No unauthorized access!^C
!
line con 0
 password 7 00000000000000
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 23 in
 password 7 0000000000000
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17174758
ntp source Dialer0
ntp server 192.53.103.103 source Dialer0 prefer
ntp server 80.67.17.101
end

Thanx...Andy



C871 Remote access
Hi Again,

I have a little issue with my C871 box. I would like to access the routers
management console through ssh & https (SDM) from the Internet.
At the moment this does not work. I am able to ping the device but I am not
able to access the box through ssh or https although I opened the FW on the
Box.

Maybe somebody can check my config? Here we go:



Building configuration...

Current configuration : 13029 bytes
!
! Last configuration change at 21:39:52 Berlin Mon Nov 5 2007 by root
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 0000000000000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name abc.de
ip name-server 194.8.194.70
ip name-server 194.8.194.60
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method dyndns
 HTTP
  add
http://xxxx:xxxx@members.dyndns.org/nic/update?system=dyndns&hostname=xxxx.homeip.net&myip=<a>
 interval maximum 0 12 0 0
 interval minimum 0 12 0 0
!
!
!
crypto pki trustpoint TP-self-signed-00000000000
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-0000000000
 revocation-check none
 rsakeypair TP-self-signed-465119209
!
!
crypto pki certificate chain TP-self-signed-000000
 certificate self-signed 01

  quit
!
!
username root privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxx/
!
!
class-map type inspect match-any ECHO
 match protocol icmp
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1
 match access-group name USENET
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any SSH
 match protocol ssh
class-map type inspect match-any SSL
 match protocol https
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
class-map type inspect match-all sdm-cls-sdm-permit-3
 match class-map SSL
 match access-group name SSL
class-map type inspect match-all sdm-cls-sdm-permit-2
 match class-map ECHO
 match access-group name ECHO
class-map type inspect match-any ICMPEchoReply
 match protocol icmp
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map ICMPEchoReply
 match access-group name ICMPEchoReply
class-map type inspect match-all sdm-cls-sdm-permit-4
 match class-map SSH
 match access-group name SSH
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class class-default
policy-map type inspect sdm-permit
 class type inspect sdm-cls-sdm-permit-4
  pass
 class type inspect sdm-cls-sdm-permit-3
  pass
 class type inspect sdm-access
  inspect
 class type inspect sdm-cls-sdm-permit-2
  inspect
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip ddns update hostname xxxx.homeip.net
 ip ddns update dyndns
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xx@nxx.xx
 ppp chap password 7 000000000000
 ppp pap sent-username xx@nxx.xx password 7 0000000000
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.0.1
!
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended ECHO
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended HTTPS_MANAGEMENT
 remark SDM_ACL Category=1
 permit udp host 194.8.194.60 eq domain any
 permit udp host 194.8.194.70 eq domain any
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 permit udp host 80.67.17.101 eq ntp any eq ntp
 remark Auto generated by SDM for NTP (123) 192.53.103.103
 permit udp host 192.53.103.103 eq ntp any eq ntp
 permit tcp any any eq 443 log
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 remark Auto generated by SDM for NTP (123) 192.53.103.103
ip access-list extended ICMPEchoReply
 remark SDM_ACL Category=128
 permit ip any any
 remark SDM_ACL Category=128
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
 remark SDM_ACL Category=1
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 permit udp host 80.67.17.101 eq ntp any eq ntp
 remark Auto generated by SDM for NTP (123) 192.53.103.103
 permit udp host 192.53.103.103 eq ntp any eq ntp
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit tcp any any
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 80.67.17.101
 remark Auto generated by SDM for NTP (123) 192.53.103.103
ip access-list extended SSH
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended SSL
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended USENET
 remark SDM_ACL Category=128
 permit ip any any
 remark SDM_ACL Category=128
 remark SDM_ACL Category=128
 remark SDM_ACL Category=128
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 101 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=128
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny   ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny   ip any any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq www any
access-list 105 permit udp host 194.8.194.60 eq domain any
access-list 105 permit udp host 194.8.194.70 eq domain any
access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntp
access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntp
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq 22
access-list 105 permit tcp any any eq cmd
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
access-list 106 remark VTY Access-class list
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.0.0 0.0.0.255 any
access-list 106 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CThis is a secure System! No unauthorized access!^C
!
line con 0
 password 7 00000000000000
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 23 in
 password 7 0000000000000
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17174758
ntp source Dialer0
ntp server 192.53.103.103 source Dialer0 prefer
ntp server 80.67.17.101
end

thanx...andy



Re: C871 Access from WAN-Side (internet)?
wrote:
Quoted text here. Click to load it

The key thing is that the outsied interface is no different
from the inside other then the config that you apply.
You can connect to either.

If you are connecting to the inside then you have some
ACL or NAT issue I would guess. The config is too complex
for me to delve into right now.

Here is the minimum you need to be able to
ssh to a router.

hostname jims-router
ip domain name xyz.com
!
enabler secret secret! (not needed with priv 15)
no aaa new-model
username jim privilege 15 password jim

line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
cry key gen rsa
!accept 512 bits with return.

end
wr

The priv level 15 is not essential but its
in my config.


Re: C871 Access from WAN-Side (internet)?

For https, try modifying access-list 2 to permit the outside
addresses
being used to access the router


See NAT order of operations:

http://cco.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


Note that for outside-to-inside that the input access-list is applied
BEFORE NAT translation occurs.



Site Timeline