C871 Access from WAN-Side (internet)?

Hi Again,

I have a little issue with my C871 box. I would like to access the routers management console through ssh & https (SDM) from the Internet. At the moment this does not work. I am able to ping the device but I am not able to access the box through ssh or https although I opened the FW on the Box.

Maybe somebody can check my config? Here we go:

Building configuration...

Current configuration : 13029 bytes ! ! Last configuration change at 21:39:52 Berlin Mon Nov 5 2007 by root ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname EDGE-GW ! boot-start-marker boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 0000000000000 ! aaa new-model ! ! aaa authentication login default local aaa authentication login local_authen local aaa authorization exec default local aaa authorization exec local_author local ! ! aaa session-id common clock timezone Berlin 1 clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00 no ip source-route ip cef ! ! ip tcp synwait-time 10 no ip bootp server ip domain name abc.de ip name-server 194.8.194.70 ip name-server 194.8.194.60 ip ssh time-out 60 ip ssh authentication-retries 2 ip ddns update method dyndns HTTP add http://xxxx: snipped-for-privacy@members.dyndns.org/nic/update?system=dyndns&hostname=xxxx.homeip.net&myip= interval maximum 0 12 0 0 interval minimum 0 12 0 0 ! ! ! crypto pki trustpoint TP-self-signed-00000000000 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-0000000000 revocation-check none rsakeypair TP-self-signed-465119209 ! ! crypto pki certificate chain TP-self-signed-000000 certificate self-signed 01

quit ! ! username root privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxx/ ! ! class-map type inspect match-any ECHO match protocol icmp class-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPS class-map type inspect match-any SDM_SSH match access-group name SDM_SSH class-map type inspect match-any SDM_SHELL match access-group name SDM_SHELL class-map type inspect match-any sdm-cls-access match class-map SDM_HTTPS match class-map SDM_SSH match class-map SDM_SHELL class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1 match access-group name USENET class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any SSH match protocol ssh class-map type inspect match-any SSL match protocol https class-map type inspect match-all sdm-access match class-map sdm-cls-access match access-group 101 class-map type inspect match-all sdm-cls-sdm-permit-3 match class-map SSL match access-group name SSL class-map type inspect match-all sdm-cls-sdm-permit-2 match class-map ECHO match access-group name ECHO class-map type inspect match-any ICMPEchoReply match protocol icmp class-map type inspect match-all sdm-cls-sdm-permit-1 match class-map ICMPEchoReply match access-group name ICMPEchoReply class-map type inspect match-all sdm-cls-sdm-permit-4 match class-map SSH match access-group name SSH class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class class-default policy-map type inspect sdm-permit class type inspect sdm-cls-sdm-permit-4 pass class type inspect sdm-cls-sdm-permit-3 pass class type inspect sdm-access inspect class type inspect sdm-cls-sdm-permit-2 inspect class class-default ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect ! ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ETH-WAN$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0

48.0 54.0 station-role root ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow ip tcp adjust-mss 1412 ! interface Dialer0 description $FW_OUTSIDE$ ip ddns update hostname xxxx.homeip.net ip ddns update dyndns ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname snipped-for-privacy@nxx.xx ppp chap password 7 000000000000 ppp pap sent-username snipped-for-privacy@nxx.xx password 7 0000000000 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.1.0 255.255.255.0 192.168.0.1 ! no ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip dns server ip nat inside source list 1 interface Dialer0 overload ! ip access-list extended ECHO remark SDM_ACL Category=128 permit ip any any ip access-list extended HTTPS_MANAGEMENT remark SDM_ACL Category=1 permit udp host 194.8.194.60 eq domain any permit udp host 194.8.194.70 eq domain any remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 443 log remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103 ip access-list extended ICMPEchoReply remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128 ip access-list extended SDM_HTTPS remark SDM_ACL Category=1 permit tcp any any eq 443 remark SDM_ACL Category=1 remark SDM_ACL Category=1 remark SDM_ACL Category=1 ip access-list extended SDM_SHELL remark SDM_ACL Category=1 permit tcp any any eq cmd remark SDM_ACL Category=1 remark SDM_ACL Category=1 remark SDM_ACL Category=1 ip access-list extended SDM_SSH remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 22 permit tcp any any eq 443 permit tcp any any remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103 ip access-list extended SSH remark SDM_ACL Category=128 permit ip any any ip access-list extended SSL remark SDM_ACL Category=128 permit ip any any ip access-list extended USENET remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128 remark SDM_ACL Category=128 remark SDM_ACL Category=128 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 remark SDM_ACL Category=128 access-list 100 remark SDM_ACL Category=128 access-list 100 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 101 permit ip any any access-list 101 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 deny ip any any access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip 192.168.0.0 0.0.0.255 any access-list 103 deny ip any any access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 104 permit ip 192.168.0.0 0.0.0.255 any access-list 104 deny ip any any access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 permit tcp any eq www any access-list 105 permit udp host 194.8.194.60 eq domain any access-list 105 permit udp host 194.8.194.70 eq domain any access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101 access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntp access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103 access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntp access-list 105 permit tcp any any eq 443 access-list 105 permit tcp any any eq 22 access-list 105 permit tcp any any eq cmd access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101 access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103 access-list 106 remark VTY Access-class list access-list 106 remark SDM_ACL Category=1 access-list 106 permit ip 192.168.0.0 0.0.0.255 any access-list 106 deny ip any any dialer-list 1 protocol ip permit no cdp run ! ! ! control-plane ! banner login ^CThis is a secure System! No unauthorized access!^C ! line con 0 password 7 00000000000000 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 23 in password 7 0000000000000 authorization exec local_author login authentication local_authen transport input ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17174758 ntp source Dialer0 ntp server 192.53.103.103 source Dialer0 prefer ntp server 80.67.17.101 end

Thanx...Andy

Reply to
Andreas Heinzelmann
Loading thread data ...

Hi Again,

I have a little issue with my C871 box. I would like to access the routers management console through ssh & https (SDM) from the Internet. At the moment this does not work. I am able to ping the device but I am not able to access the box through ssh or https although I opened the FW on the Box.

Maybe somebody can check my config? Here we go:

Building configuration...

Current configuration : 13029 bytes ! ! Last configuration change at 21:39:52 Berlin Mon Nov 5 2007 by root ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname EDGE-GW ! boot-start-marker boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 0000000000000 ! aaa new-model ! ! aaa authentication login default local aaa authentication login local_authen local aaa authorization exec default local aaa authorization exec local_author local ! ! aaa session-id common clock timezone Berlin 1 clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00 no ip source-route ip cef ! ! ip tcp synwait-time 10 no ip bootp server ip domain name abc.de ip name-server 194.8.194.70 ip name-server 194.8.194.60 ip ssh time-out 60 ip ssh authentication-retries 2 ip ddns update method dyndns HTTP add http://xxxx: snipped-for-privacy@members.dyndns.org/nic/update?system=dyndns&hostname=xxxx.homeip.net&myip= interval maximum 0 12 0 0 interval minimum 0 12 0 0 ! ! ! crypto pki trustpoint TP-self-signed-00000000000 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-0000000000 revocation-check none rsakeypair TP-self-signed-465119209 ! ! crypto pki certificate chain TP-self-signed-000000 certificate self-signed 01

quit ! ! username root privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxx/ ! ! class-map type inspect match-any ECHO match protocol icmp class-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPS class-map type inspect match-any SDM_SSH match access-group name SDM_SSH class-map type inspect match-any SDM_SHELL match access-group name SDM_SHELL class-map type inspect match-any sdm-cls-access match class-map SDM_HTTPS match class-map SDM_SSH match class-map SDM_SHELL class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1 match access-group name USENET class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any SSH match protocol ssh class-map type inspect match-any SSL match protocol https class-map type inspect match-all sdm-access match class-map sdm-cls-access match access-group 101 class-map type inspect match-all sdm-cls-sdm-permit-3 match class-map SSL match access-group name SSL class-map type inspect match-all sdm-cls-sdm-permit-2 match class-map ECHO match access-group name ECHO class-map type inspect match-any ICMPEchoReply match protocol icmp class-map type inspect match-all sdm-cls-sdm-permit-1 match class-map ICMPEchoReply match access-group name ICMPEchoReply class-map type inspect match-all sdm-cls-sdm-permit-4 match class-map SSH match access-group name SSH class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class class-default policy-map type inspect sdm-permit class type inspect sdm-cls-sdm-permit-4 pass class type inspect sdm-cls-sdm-permit-3 pass class type inspect sdm-access inspect class type inspect sdm-cls-sdm-permit-2 inspect class class-default ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect ! ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ETH-WAN$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0

48.0 54.0 station-role root ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow ip tcp adjust-mss 1412 ! interface Dialer0 description $FW_OUTSIDE$ ip ddns update hostname xxxx.homeip.net ip ddns update dyndns ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname snipped-for-privacy@nxx.xx ppp chap password 7 000000000000 ppp pap sent-username snipped-for-privacy@nxx.xx password 7 0000000000 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.1.0 255.255.255.0 192.168.0.1 ! no ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip dns server ip nat inside source list 1 interface Dialer0 overload ! ip access-list extended ECHO remark SDM_ACL Category=128 permit ip any any ip access-list extended HTTPS_MANAGEMENT remark SDM_ACL Category=1 permit udp host 194.8.194.60 eq domain any permit udp host 194.8.194.70 eq domain any remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 443 log remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103 ip access-list extended ICMPEchoReply remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128 ip access-list extended SDM_HTTPS remark SDM_ACL Category=1 permit tcp any any eq 443 remark SDM_ACL Category=1 remark SDM_ACL Category=1 remark SDM_ACL Category=1 ip access-list extended SDM_SHELL remark SDM_ACL Category=1 permit tcp any any eq cmd remark SDM_ACL Category=1 remark SDM_ACL Category=1 remark SDM_ACL Category=1 ip access-list extended SDM_SSH remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 22 permit tcp any any eq 443 permit tcp any any remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103 ip access-list extended SSH remark SDM_ACL Category=128 permit ip any any ip access-list extended SSL remark SDM_ACL Category=128 permit ip any any ip access-list extended USENET remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128 remark SDM_ACL Category=128 remark SDM_ACL Category=128 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 remark SDM_ACL Category=128 access-list 100 remark SDM_ACL Category=128 access-list 100 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 101 permit ip any any access-list 101 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 deny ip any any access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip 192.168.0.0 0.0.0.255 any access-list 103 deny ip any any access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 104 permit ip 192.168.0.0 0.0.0.255 any access-list 104 deny ip any any access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 permit tcp any eq www any access-list 105 permit udp host 194.8.194.60 eq domain any access-list 105 permit udp host 194.8.194.70 eq domain any access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101 access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntp access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103 access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntp access-list 105 permit tcp any any eq 443 access-list 105 permit tcp any any eq 22 access-list 105 permit tcp any any eq cmd access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101 access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103 access-list 106 remark VTY Access-class list access-list 106 remark SDM_ACL Category=1 access-list 106 permit ip 192.168.0.0 0.0.0.255 any access-list 106 deny ip any any dialer-list 1 protocol ip permit no cdp run ! ! ! control-plane ! banner login ^CThis is a secure System! No unauthorized access!^C ! line con 0 password 7 00000000000000 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 23 in password 7 0000000000000 authorization exec local_author login authentication local_authen transport input ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17174758 ntp source Dialer0 ntp server 192.53.103.103 source Dialer0 prefer ntp server 80.67.17.101 end

thanx...andy

Reply to
Andreas Heinzelmann

Hi Again,

I have a little issue with my C871 box. I would like to access the routers management console through ssh & https (SDM) from the Internet. At the moment this does not work. I am able to ping the device but I am not able to access the box through ssh or https although I opened the FW on the Box.

Maybe somebody can check my config? Here we go:

Building configuration...

Current configuration : 13029 bytes ! ! Last configuration change at 21:39:52 Berlin Mon Nov 5 2007 by root ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname EDGE-GW ! boot-start-marker boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 0000000000000 ! aaa new-model ! ! aaa authentication login default local aaa authentication login local_authen local aaa authorization exec default local aaa authorization exec local_author local ! ! aaa session-id common clock timezone Berlin 1 clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00 no ip source-route ip cef ! ! ip tcp synwait-time 10 no ip bootp server ip domain name abc.de ip name-server 194.8.194.70 ip name-server 194.8.194.60 ip ssh time-out 60 ip ssh authentication-retries 2 ip ddns update method dyndns HTTP add http://xxxx: snipped-for-privacy@members.dyndns.org/nic/update?system=dyndns&hostname=xxxx.homeip.net&myip= interval maximum 0 12 0 0 interval minimum 0 12 0 0 ! ! ! crypto pki trustpoint TP-self-signed-00000000000 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-0000000000 revocation-check none rsakeypair TP-self-signed-465119209 ! ! crypto pki certificate chain TP-self-signed-000000 certificate self-signed 01

quit ! ! username root privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxx/ ! ! class-map type inspect match-any ECHO match protocol icmp class-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPS class-map type inspect match-any SDM_SSH match access-group name SDM_SSH class-map type inspect match-any SDM_SHELL match access-group name SDM_SHELL class-map type inspect match-any sdm-cls-access match class-map SDM_HTTPS match class-map SDM_SSH match class-map SDM_SHELL class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1 match access-group name USENET class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any SSH match protocol ssh class-map type inspect match-any SSL match protocol https class-map type inspect match-all sdm-access match class-map sdm-cls-access match access-group 101 class-map type inspect match-all sdm-cls-sdm-permit-3 match class-map SSL match access-group name SSL class-map type inspect match-all sdm-cls-sdm-permit-2 match class-map ECHO match access-group name ECHO class-map type inspect match-any ICMPEchoReply match protocol icmp class-map type inspect match-all sdm-cls-sdm-permit-1 match class-map ICMPEchoReply match access-group name ICMPEchoReply class-map type inspect match-all sdm-cls-sdm-permit-4 match class-map SSH match access-group name SSH class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class class-default policy-map type inspect sdm-permit class type inspect sdm-cls-sdm-permit-4 pass class type inspect sdm-cls-sdm-permit-3 pass class type inspect sdm-access inspect class type inspect sdm-cls-sdm-permit-2 inspect class class-default ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect ! ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ETH-WAN$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0

48.0 54.0 station-role root ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow ip tcp adjust-mss 1412 ! interface Dialer0 description $FW_OUTSIDE$ ip ddns update hostname xxxx.homeip.net ip ddns update dyndns ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname snipped-for-privacy@nxx.xx ppp chap password 7 000000000000 ppp pap sent-username snipped-for-privacy@nxx.xx password 7 0000000000 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.1.0 255.255.255.0 192.168.0.1 ! no ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip dns server ip nat inside source list 1 interface Dialer0 overload ! ip access-list extended ECHO remark SDM_ACL Category=128 permit ip any any ip access-list extended HTTPS_MANAGEMENT remark SDM_ACL Category=1 permit udp host 194.8.194.60 eq domain any permit udp host 194.8.194.70 eq domain any remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 443 log remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103 ip access-list extended ICMPEchoReply remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128 ip access-list extended SDM_HTTPS remark SDM_ACL Category=1 permit tcp any any eq 443 remark SDM_ACL Category=1 remark SDM_ACL Category=1 remark SDM_ACL Category=1 ip access-list extended SDM_SHELL remark SDM_ACL Category=1 permit tcp any any eq cmd remark SDM_ACL Category=1 remark SDM_ACL Category=1 remark SDM_ACL Category=1 ip access-list extended SDM_SSH remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 22 permit tcp any any eq 443 permit tcp any any remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103 ip access-list extended SSH remark SDM_ACL Category=128 permit ip any any ip access-list extended SSL remark SDM_ACL Category=128 permit ip any any ip access-list extended USENET remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128 remark SDM_ACL Category=128 remark SDM_ACL Category=128 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 remark SDM_ACL Category=128 access-list 100 remark SDM_ACL Category=128 access-list 100 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 101 permit ip any any access-list 101 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 101 remark SDM_ACL Category=128 access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 deny ip any any access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip 192.168.0.0 0.0.0.255 any access-list 103 deny ip any any access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 104 permit ip 192.168.0.0 0.0.0.255 any access-list 104 deny ip any any access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 permit tcp any eq www any access-list 105 permit udp host 194.8.194.60 eq domain any access-list 105 permit udp host 194.8.194.70 eq domain any access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101 access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntp access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103 access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntp access-list 105 permit tcp any any eq 443 access-list 105 permit tcp any any eq 22 access-list 105 permit tcp any any eq cmd access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101 access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103 access-list 106 remark VTY Access-class list access-list 106 remark SDM_ACL Category=1 access-list 106 permit ip 192.168.0.0 0.0.0.255 any access-list 106 deny ip any any dialer-list 1 protocol ip permit no cdp run ! ! ! control-plane ! banner login ^CThis is a secure System! No unauthorized access!^C ! line con 0 password 7 00000000000000 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 23 in password 7 0000000000000 authorization exec local_author login authentication local_authen transport input ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17174758 ntp source Dialer0 ntp server 192.53.103.103 source Dialer0 prefer ntp server 80.67.17.101 end

thanx...andy

Reply to
Andreas Heinzelmann

The key thing is that the outsied interface is no different from the inside other then the config that you apply. You can connect to either.

If you are connecting to the inside then you have some ACL or NAT issue I would guess. The config is too complex for me to delve into right now.

Here is the minimum you need to be able to ssh to a router.

hostname jims-router ip domain name xyz.com ! enabler secret secret! (not needed with priv 15) no aaa new-model username jim privilege 15 password jim

line vty 0 4 privilege level 15 login local transport input telnet ssh ! cry key gen rsa !accept 512 bits with return.

end wr

The priv level 15 is not essential but its in my config.

Reply to
Bod43

For https, try modifying access-list 2 to permit the outside addresses being used to access the router

See NAT order of operations:

formatting link

Note that for outside-to-inside that the input access-list is applied BEFORE NAT translation occurs.

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.