Question

Remote SDM/SSH/Telnet access to a Cisco 877

Asked by: v0r73x

I've been playing around with a Cisco 877 and have been trying to figure out how to allow remote access to the SDM and Telnet from external clients.

Basically I need to be able to jump on this router from any location ideally without having a VPN up first so SSH / HTTPS would be nice.

I've read several buts on how to configure SSH and some of the Access list details but whenever I try them it doesnt seem to let me in remotely. Local access is fine, heres the clean config. Any help / suggestions appreciated.

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 *****.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-849564243
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-849564243
 revocation-check none
 rsakeypair TP-self-signed-849564243
!
!
dot11 syslog
!
dot11 ssid companyname
   authentication open 
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 *****
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.xx.1 192.168.xx.9
ip dhcp excluded-address 192.168.xx.101 192.168.xx.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.xx.0 255.255.255.0
   dns-server 4.2.2.1 4.2.2.2 
   default-router 192.168.xx.254 
!
!
ip port-map user-protocol--1 port tcp 7401
no ip bootp server
no ip domain lookup
ip domain name companyname.local
ip name-server 4.2.2.1
ip name-server 4.2.2.2
!
!
!
username ***** privilege 15 secret 5 *****
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ***** address 77.xx.xx.xx
crypto isakmp key ***** address 62.xx.xx.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to77.xx.xx.xx
 set peer 77.xx.xx.xx
 set transform-set ESP-3DES-SHA 
 match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description Tunnel to62.xx.xx.xx
 set peer 62.xx.xx.xx
 set transform-set ESP-3DES-SHA1 
 match address 107
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 108
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 104
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class class-default
policy-map type inspect sdm-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description WLAN
 no ip address
 no dot11 qos mode
 !
 encryption mode ciphers tkip 
 !
 broadcast-key change 3600 membership-termination
 !
 !
 ssid companyname
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2462
 station-role root
 world-mode dot11d country GB both
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *****
 ppp chap password 7 *****
 ppp pap sent-username ***** password 7 *****
 crypto map SDM_CMAP_1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.xx.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.xx.200 7401 interface Dialer0 7401
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.xx.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.xx.200
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.xx.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.xx.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host 77.xx.xx.xx any
access-list 104 permit ip host 62.xx.xx.xx any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny   ip 192.168.xx.0 0.0.0.255 172.28.xx.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 192.168.xx.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 192.168.xx.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.xx.0 0.0.0.255 172.28.xx.0 0.0.0.255
access-list 108 remark SDM_ACL Category=0
access-list 108 remark IPSec Rule
access-list 108 permit ip 172.28.xx.0 0.0.0.255 192.168.xx.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 172.28.xx.0 0.0.0.255 192.168.xx.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 106
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
banner login Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!

!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 privilege level 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 194.164.127.6 source ATM0.1 prefer
ntp server 194.35.252.7 source ATM0.1 prefer
end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-04-20 at 03:08:44ID24337004
Tags

Cisco 877

,

Telnet

,

Remote Access

,

SDM

Topics

Cisco PIX Firewall

,

Network Routers

,

SSH / Telnet Software

Participating Experts
1
Points
500
Comments
4

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. cisco disable ssh
    What is the command to disable SSH on a cisco router?
  2. Cisco 1841 - No SDM Access!
    Cisco 1841 - After using the SDM and successfully configuring the router, it appears that I have lost SDM access. I can console in but not https to SDM. What settings might I have introduced to cause this longer to work?
  3. Cisco 800 series router - locking down ICMP, telnet, a…
    We have two sites, one with a Cisco 877 (ADSL), the other with a 878 (SDSL). Inside each is a Pix 501, with a VPN between the two sites. We have recently had penetration testing done, which found no fault with the Pix firewalls, but came up with the following recommendation...
  4. I would like to allow SSH and Telnet on my Cisco 2811
    I have assigned a static IP to my cisco 2811 and and to ping from internal network but also want to allow SSH and Telnet sessions for other offsite admins to configure. line vty 0 4 transport input SSH I get an error on (SSH) invalid input detected Any help you great. Th...
  5. Cisco routers telnet and SSH
    Can I actual set it up so I can telnet or SSH into the router? Attached is a copy of my config and what I have the VTY lines set up for. Thanks in advance for the help!

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: JFrederick29Posted on 2009-04-20 at 04:57:16ID: 24183671

The Firewall is not allowing SSH.

Add this:

class-map type inspect match-any router-access
match protocol ssh
match protocol https

policy-map type inspect sdm-permit
 class type inspect router-access
  inspect

 

by: v0r73xPosted on 2009-04-21 at 05:02:19ID: 24193292

Have tried entering the above although get the following error?

%Protocol ssh configured in class-map router-access cannot be configured for the
 self zone. Please remove the protocol and retry

 

by: JFrederick29Posted on 2009-04-21 at 06:06:47ID: 24193782

Okay, do this instead.

conf t
ip access-list ext 150
permit tcp any any eq 22
permit tcp any any eq https
permit tcp any any eq 23

class-map type inspect match-any router-access
 no match protocol ssh
 no match protocol https
 match access-group 150

policy-map type inspect sdm-permit
 class type inspect router-access
  inspect

In access-list 150, you can restrict the source IP to "allowed" IP addresses to lock down SSH/HTTPS/TELNET access from the Internet if desired or leave it like above which allows that access from any IP.

 

by: v0r73xPosted on 2009-05-07 at 12:50:46ID: 31579182

Thanks for the help! Couldn't seem to get it running with the CLI as it kept failing with an error, but with the above in mind I used the SDM to add the allow rules for the self zone and to inspect the traffic and its done the job.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...