Solved

How to allow SDM access from WAN, need the command line command...

Posted on 2008-10-02
26
833 Views
Last Modified: 2009-07-29
Hello, I need SDM access from the WAN, I have Telnet access from the wan now and need the coomand to allow SDM on WAN..


Building configuration...

Current configuration : 5603 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXXXXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool pool1
   network 192.168.1.0 255.255.255.0
   domain-name XXXXXXXXXXXXXXXXXXXXXXXXXX
   default-router 192.168.1.1
   dns-server XXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username xxxx privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx privilege 15 secret 5 $1XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx privilege 15 secret 5 $1$Om30XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx privilege 15 secret 5 $1XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx  privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_Group
 key XXXXXXXXXXXXXXXXXXXXXXXXXX
 pool SDM_POOL_1
 acl 101
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_OUTSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Ethernet1
 description $ETH-WAN$$FW_INSIDE$
 ip address dhcp client-id Ethernet1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 crypto map SDM_CMAP_1
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.54.1 192.168.54.20
ip route 192.168.1.0 255.255.255.0 Ethernet1
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.54.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.1
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.3
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.4
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.5
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.6
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.7
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.8
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.9
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.10
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.11
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.12
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.13
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.14
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.15
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.16
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.17
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.18
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.19
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.20
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CWelcome to Shortess!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 exec-timeout 120 0
 authorization exec local_author
 login authentication local_authen
 length 0
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end
0
Comment
Question by:jkhtkd
  • 11
  • 9
  • 6
26 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Just to let you know - the SDM is pretty much garbage. It's very buggy.
Also, DO NOT EVER USE TELNET OVER THE INTERNET - your passwords are sent in clear text and anyone listening can see them and log into your router. Use SSH instead of telnet - it is encrypted.
Run this to disable telnet and use SSH:
crypto key rsa generate mod 1024
line vty 0 4
no transport input telnet ssh
transport input ssh

If you know the IP address you'll be accessing the router from it's also good to restrict access to that as well with the access list.
Now use an SSH client to access the device securely. I recommend PUTTY - much better than telnet.

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Also, your SDM is curently NOT encrypted either. These commands will encrypt it and allow access to it by checking the "use SSL" box or accessing it by https://ip address instead of just http://ip address
To enable encrypted SDM on outside just run:
no ip http server
http secure-server
ip http authentication local
access-list 103 permit tcp any interface Ethernet0 eq 443
interface Ethernet0
access-group 103 in
Cheers! Let me know if that helps!
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 250 total points
Comment Utility
Sorry - the last group of commands should have been:
no ip http server
ip http secure-server
ip http authentication local
access-list 103 permit tcp any interface Ethernet0 eq 443
interface Ethernet0
access-group 103 in

0
 

Author Comment

by:jkhtkd
Comment Utility
Sorry, but access-list 103 permit tcp any interface Ethernet0 eq 443 has a syntax error at Interface?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Sorry I was thinking of PIX firewall - change that line to:
access-list 103 permit tcp any any eq 443
Cheers!
0
 

Author Comment

by:jkhtkd
Comment Utility
Sorry, im still learning....
So from the begining log in enable,
conf t
no ip http server
ip http secure-server
ip http authentication local
access-list 103 permit tcp any any eq 443
interface Ethernet0
access-group 103 in
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
That's right!
That disables the unencrypted http server.
enables encrypted http server (SSL)
tells it to authenticate to AAA usernames
makes access-list allowing tcp port 443 from any address on web (I recommend tightening this if possible - it's bad idea to allow any to a management method)
opens interface ethernet0
assigns that access-list to incoming traffic
Run these too to secure your remote CLI (disable telnet and enable SSH)
crypto key rsa generate mod 1024
line vty 0 4
no transport input telnet ssh
transport input ssh

:)
0
 

Author Comment

by:jkhtkd
Comment Utility
Cool, what would the non ssl version of this be?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Just use  
ip http server
instead - I DO NOT recommend this - it is not secure and your device can be compromised easily if you don't use SSL for SDM and SSH for command line only.
0
 

Author Comment

by:jkhtkd
Comment Utility
Sorry, but now I get a syntax error on access-group 103 in
0
 
LVL 11

Expert Comment

by:billwharton
Comment Utility
Try this:
interface Ethernet0
ip access-group 103 in

You were missing the 'ip'
0
 

Author Comment

by:jkhtkd
Comment Utility
Still can not get access, tried both secure and unsecure...
0
 
LVL 11

Expert Comment

by:billwharton
Comment Utility
is it giving you an error like authentication error or you aren't seeing any prompting for user authentication at all? try this from your command prompt:

telnet <outside IP of your router> 443
telnet <outside IP of your router> 80

see the output of both of the above and see if it sticks at connecting to... or if it connects and shows no output at all
0
 

Author Comment

by:jkhtkd
Comment Utility
I reverted the router by reloading, telnet on 80 just hangs and then I get a connect failed...same on 443
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 11

Expert Comment

by:billwharton
Comment Utility
what do you mean reverted the router by reloading? You don't need to every time you make a config change - just do a 'write memory'
0
 

Author Comment

by:jkhtkd
Comment Utility
I wanted to start over from the begining, so reloading is the only way i know how to reevert to the starting config. I never did a copy run start....

So I tried again, all commands for the unsecure connection and no luck...
0
 
LVL 11

Expert Comment

by:billwharton
Comment Utility
ok, can you paste your config in its entirety again? also,
0
 

Author Comment

by:jkhtkd
Comment Utility
Here ya go....
Building configuration...

Current configuration : 5583 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool pool1
   network 192.168.1.0 255.255.255.0
   domain-name xxxxxxxxxxxxxxxxxxxxx
   default-router 192.168.1.1
   dns-server xxxxxxxxxxxxxxxxxxxxx
   lease 7
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username xxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 $1$Om30xxxxxxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_Group
 key xxxxxxxxxxxxxxxxxxxxx
 pool SDM_POOL_1
 acl 101
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_OUTSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Ethernet1
 description $ETH-WAN$$FW_INSIDE$
 ip address dhcp client-id Ethernet1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 crypto map SDM_CMAP_1
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.54.1 192.168.54.20
ip route 192.168.0.0 255.255.255.0 Ethernet1
ip route 192.168.1.0 255.255.255.0 Ethernet1
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.54.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.1
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.3
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.4
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.5
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.6
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.7
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.8
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.9
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.10
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.11
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.12
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.13
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.14
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.15
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.16
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.17
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.18
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.19
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.20
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit tcp any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CWelcome to xxxxxxxxxxxxxxxxxxxxx^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 250 total points
Comment Utility
do this:
conf t
ip http secure-server

You currently have it set to 'no'

now try again
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Yes that should work.
But again, I recommend you remove the telnet access from the VTY line if you've got it wide open to the internet.
Do this with:
line vty 0 4
no transport input telnet ssh
transport input ssh
You will then need an SSH client but it's encrypted so it's worth it because nobody can sniff your password and hack your router.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
And also, I recommend only allowing SDM over SSL (secure-server). To do this run this command:
access-list 103 permit tcp any any eq 443
no access-list 103 permit tcp any any
If you don't take these precautions you'll be really sorry when a hacker logs into your router and ruins everything just because you didn't take care in restricting management access.
Having it open to any any is bad in the first place, having it unencrypted is so much worse.
Make sure when access the SDM on with SSL that you check the Use HTTPS/SSL box on the SDM launcher.
Cheers!
0
 

Author Comment

by:jkhtkd
Comment Utility
Thanks, I'll have to try in the AM... i'll post again as a soon as I try again.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Okay! I'll be waiting to hear if it worked!
0
 
LVL 11

Expert Comment

by:billwharton
Comment Utility
Also, kindly post the output of this command;
show ip http server all

0
 

Author Comment

by:jkhtkd
Comment Utility
Hey Guys, thanks a milliond for your help...

here is the latest config:

Building configuration...

Current configuration : 5538 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxxx^C
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1xxxxxxxxxx^C
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool pool1
   network 192.168.1.0 255.255.255.0
   domain-name xxxxxxxxxx^C
   default-router 192.168.1.1
   dns-server xxxxxxxxxx^C
   lease 7
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username shortess privilege 15 password 7 xxxxxxxxxx^C
username jkhtkd privilege 15 secret 5 $1xxxxxxxxxx^C
username admin privilege 15 secret 5 $1$Om30xxxxxxxxxx^C
username sshortess privilege 15 secret 5 $1xxxxxxxxxx^C
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_Group
 key xxxxxxxxxx^C
 pool SDM_POOL_1
 acl 101
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_OUTSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Ethernet1
 description $ETH-WAN$$FW_INSIDE$
 ip address dhcp client-id Ethernet1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 crypto map SDM_CMAP_1
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.54.1 192.168.54.20
ip route 192.168.1.0 255.255.255.0 Ethernet1
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.54.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.1
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.3
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.4
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.5
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.6
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.7
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.8
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.9
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.10
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.11
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.12
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.13
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.14
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.15
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.16
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.17
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.18
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.19
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.20
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit tcp any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CWelcome to xxxxxxxxxx^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end


And...

xxxxxxxxx#show ip http server all
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: local
HTTP server access class: 0
HTTP server base path:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 1
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Disabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128
-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

HTTP server application session modules:
 Session module Name  Handle Status   Secure-status  Description
HTTP_IFS              1      Active   Active         HTTP based IOS File Server

WEB_EXEC              2      Active   Active         HTTP based IOS EXEC Server

HOME_PAGE             3      Active   Active         IOS Homepage Server

http_ezsetup          4      Active   Active         HTTP EZSETUP Server

IPS_IDCONF            5      Active   Active         IOS IPS IDCONF Server

IPS_SDEE              6      Active   Active         IOS IPS SDEE Server

EzVPN-Web-Intercept   7      Active   Active         EzVPN Web Intercept URL Han
dler
tti-petitioner        8      Active   Active         TTI Petitioner



HTTP server current connections:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes


HTTP server statistics:
Accepted connections total: 0


HTTP server history:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes  end-time





0
 

Author Comment

by:jkhtkd
Comment Utility
Hey Guys, I ran it from the beginning anf it now works secure.... I would like to split the point of thats ok with you both.....

Thanks a million, it's great to learn from guys like you!
I appreciate it!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Glad to head it works!
Cheers!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now