Deny SDM Access from WAN

Hello,

We have a Cisco 2811 running SDM 2.3.4. I would like to restrict SDM to LAN side of house. When I attempt to connect via HTTP to WAN IP the SDM login page comes up. I ran the firewall setup and did not check "Allow SDM Acess" from WAN interface. I have included the running config below.

Thank you in consideration in advance.

Building configuration...

Current configuration : 15756 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname premise ! boot-start-marker boot system flash:c2800nm-advsecurityk9-mz.123-11.T10.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx

! clock timezone NewYork -5 clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00 aaa new-model ! ! aaa authentication login local_authen local aaa authorization exec local_author local aaa session-id common ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ! ip cef ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip dhcp excluded-address XXXXXXXXXXXXXXXXX ip dhcp excluded-address XXXXXXXXXXXXXXXXX ip dhcp excluded-address XXXXXXXXXXXXXXXXX ip dhcp excluded-address XXXXXXXXXXXXXXXXX ip dhcp excluded-address XXXXXXXXXXXXXXXXX ! ip dhcp pool sdm-pool1 import all network XXXXXXXXXXXXXXXXX dns-server XXXXXXXXXXXXXXXXX default-router XXXXXXXXXXXXXXXXX ! ip dhcp pool sdm-pool2 import all network 10.10.10.0 255.255.255.0 dns-server XXXXXXXXXXXXXXXXX default-router XXXXXXXXXXXXXXXXX lease 0 2 ! ip dhcp pool sdm-pool3 import all network 172.168.1.0 255.255.255.0 dns-server XXXXXXXXXXXXXXXXX default-router XXXXXXXXXXXXXXXXX lease 0 2 ! ip dhcp pool CiscoPix501 host XXXXXXXXXXXXXXXXX hardware-address XXXXXXXXXXXXXXXXX client-name pix ! ip dhcp pool CiscoVPN3005 host 10.10.10.50 255.255.255.0 hardware-address XXXXXXXXXXXXXXXXX ! ! ip ips sdf location flash://sdmips.sdf ip ips sdf location flash://256MB.sdf ip ips notify SDEE ip ips po max-events 100 ip ips name sdm_ips_rule no ip bootp server ip domain name home.com ip name-server XXXXXXXXXXXXXXXXX ip name-server XXXXXXXXXXXXXXXXX ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! crypto pki trustpoint tti revocation-check crl rsakeypair tti ! ! username XXXXXXXXXXXXXXXXX privilege 15 view root secret 5 XXXXXXXXXXXXXXXXX ! ! no crypto isakmp ccm ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-FE

0/0$$ES_LAN$$ETH-LAN$$FW_INSIDE$ ip address XXXXXXXXXXXXXXXXX ip access-group 107 in no ip redirects no ip unreachables ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface FastEthernet0/1 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/1 ip access-group 109 in no ip redirects no ip unreachables ip nbar protocol-discovery ip inspect SDM_LOW out ip flow ingress ip flow egress ip ips sdm_ips_rule out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface FastEthernet0/0/0 description VLAN2 - VPN (Public) switchport access vlan 2 no cdp enable ! interface FastEthernet0/0/1 description VLAN2 - ADMIN switchport access vlan 2 no cdp enable ! interface FastEthernet0/0/2 description VLAN3 switchport access vlan 3 no cdp enable ! interface FastEthernet0/0/3 description VLAN3 - ADMIN switchport access vlan 3 no cdp enable ! interface Vlan1 no ip address no ip redirects no ip unreachables ip nbar protocol-discovery ip flow ingress ip flow egress ip virtual-reassembly ip route-cache flow ! interface Vlan2 description $FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip access-group 101 in no ip redirects no ip unreachables ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ! interface Vlan3 description $FW_INSIDE$ ip address 172.168.1.1 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ! ip classless ip flow-top-talkers top 200 sort-by bytes cache-timeout 36000 ! ip http server ip http access-class 3 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet0/1 overload ip nat inside source list 2 interface FastEthernet0/1 overload ip nat inside source static tcp 10.10.10.50 10000 interface FastEthernet0/1 10000 ip nat inside source static udp 10.10.10.50 10000 interface FastEthernet0/1 10000 ! logging trap debugging access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit XXXXXXXXXXXXXXXXX access-list 2 remark SDM_ACL Category=2 access-list 2 permit 10.10.10.0 0.0.0.255 access-list 2 permit 172.168.1.0 0.0.0.255 access-list 3 remark HTTP Access-class list access-list 3 remark SDM_ACL Category=1 access-list 3 permit XXXXXXXXXXXXXXXXX access-list 3 permit 172.168.1.0 0.0.0.255 access-list 3 permit XXXXXXXXXXXXXXXXX access-list 3 deny any access-list 100 remark auto generated by SDM firewall configuration Removed no cdp run ! ! control-plane ! ! banner exec ^C

----------------------------------------------------------------------- ^C banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!

THIS IS A PRIVATE COMPUTER SYSTEM. This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized

access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information including personal information, placed on or sent over this system may be monitored. Uses of this system, authorized or unauthorized, constitutes

consent to monitoring of this system. Unauthorized use may subject you

to criminal prosecution. Evidence of any such unauthorized use collected during monitoring may be used for administrative, criminal or

other adverse action. Use of this system constitutes consent to monitoring for these purposes. ^C ! line con 0 login authentication local_authen transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 104 in authorization exec local_author login authentication local_authen transport input telnet ssh line vty 5 15 access-class 104 in authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler allocate 20000 1000 ! end