How to allow SDM access from WAN, need the command line command...

Just to let you know - the SDM is pretty much garbage. It's very buggy.
Also, DO NOT EVER USE TELNET OVER THE INTERNET - your passwords are sent in clear text and anyone listening can see them and log into your router. Use SSH instead of telnet - it is encrypted.
Run this to disable telnet and use SSH:
crypto key rsa generate mod 1024
line vty 0 4
no transport input telnet ssh
transport input ssh
If you know the IP address you'll be accessing the router from it's also good to restrict access to that as well with the access list.
Now use an SSH client to access the device securely. I recommend PUTTY - much better than telnet.

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Also, your SDM is curently NOT encrypted either. These commands will encrypt it and allow access to it by checking the "use SSL" box or accessing it by https://ip address instead of just http://ip address
To enable encrypted SDM on outside just run:
no ip http server
http secure-server
ip http authentication local
access-list 103 permit tcp any interface Ethernet0 eq 443
interface Ethernet0
access-group 103 in
Cheers! Let me know if that helps!

Sorry, but access-list 103 permit tcp any interface Ethernet0 eq 443 has a syntax error at Interface?

Sorry I was thinking of PIX firewall - change that line to:
access-list 103 permit tcp any any eq 443
Cheers!

Sorry, im still learning....
So from the begining log in enable,
conf t
no ip http server
ip http secure-server
ip http authentication local
access-list 103 permit tcp any any eq 443
interface Ethernet0
access-group 103 in

That's right!
That disables the unencrypted http server.
enables encrypted http server (SSL)
tells it to authenticate to AAA usernames
makes access-list allowing tcp port 443 from any address on web (I recommend tightening this if possible - it's bad idea to allow any to a management method)
opens interface ethernet0
assigns that access-list to incoming traffic
Run these too to secure your remote CLI (disable telnet and enable SSH)
crypto key rsa generate mod 1024
line vty 0 4
no transport input telnet ssh
transport input ssh
:)

Cool, what would the non ssl version of this be?

Just use  
ip http server
instead - I DO NOT recommend this - it is not secure and your device can be compromised easily if you don't use SSL for SDM and SSH for command line only.

Sorry, but now I get a syntax error on access-group 103 in

Try this:
interface Ethernet0
ip access-group 103 in

You were missing the 'ip'

Still can not get access, tried both secure and unsecure...

is it giving you an error like authentication error or you aren't seeing any prompting for user authentication at all? try this from your command prompt:

telnet <outside IP of your router> 443
telnet <outside IP of your router> 80

see the output of both of the above and see if it sticks at connecting to... or if it connects and shows no output at all

I reverted the router by reloading, telnet on 80 just hangs and then I get a connect failed...same on 443

what do you mean reverted the router by reloading? You don't need to every time you make a config change - just do a 'write memory'

I wanted to start over from the begining, so reloading is the only way i know how to reevert to the starting config. I never did a copy run start....

So I tried again, all commands for the unsecure connection and no luck...

ok, can you paste your config in its entirety again? also,

Here ya go....
Building configuration...

Current configuration : 5583 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool pool1
   network 192.168.1.0 255.255.255.0
   domain-name xxxxxxxxxxxxxxxxxxxxx
   default-router 192.168.1.1
   dns-server xxxxxxxxxxxxxxxxxxxxx
   lease 7
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username xxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 $1$Om30xxxxxxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_Group
 key xxxxxxxxxxxxxxxxxxxxx
 pool SDM_POOL_1
 acl 101
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_OUTSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Ethernet1
 description $ETH-WAN$$FW_INSIDE$
 ip address dhcp client-id Ethernet1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 crypto map SDM_CMAP_1
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.54.1 192.168.54.20
ip route 192.168.0.0 255.255.255.0 Ethernet1
ip route 192.168.1.0 255.255.255.0 Ethernet1
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.54.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.1
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.3
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.4
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.5
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.6
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.7
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.8
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.9
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.10
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.11
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.12
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.13
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.14
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.15
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.16
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.17
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.18
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.19
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.20
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit tcp any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CWelcome to xxxxxxxxxxxxxxxxxxxxx^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end

Yes that should work.
But again, I recommend you remove the telnet access from the VTY line if you've got it wide open to the internet.
Do this with:
line vty 0 4
no transport input telnet ssh
transport input ssh
You will then need an SSH client but it's encrypted so it's worth it because nobody can sniff your password and hack your router.

And also, I recommend only allowing SDM over SSL (secure-server). To do this run this command:
access-list 103 permit tcp any any eq 443
no access-list 103 permit tcp any any
If you don't take these precautions you'll be really sorry when a hacker logs into your router and ruins everything just because you didn't take care in restricting management access.
Having it open to any any is bad in the first place, having it unencrypted is so much worse.
Make sure when access the SDM on with SSL that you check the Use HTTPS/SSL box on the SDM launcher.
Cheers!

Thanks, I'll have to try in the AM... i'll post again as a soon as I try again.

Okay! I'll be waiting to hear if it worked!

Also, kindly post the output of this command;
show ip http server all

Hey Guys, thanks a milliond for your help...

here is the latest config:

Building configuration...

Current configuration : 5538 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxxx^C
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1xxxxxxxxxx^C
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool pool1
   network 192.168.1.0 255.255.255.0
   domain-name xxxxxxxxxx^C
   default-router 192.168.1.1
   dns-server xxxxxxxxxx^C
   lease 7
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username shortess privilege 15 password 7 xxxxxxxxxx^C
username jkhtkd privilege 15 secret 5 $1xxxxxxxxxx^C
username admin privilege 15 secret 5 $1$Om30xxxxxxxxxx^C
username sshortess privilege 15 secret 5 $1xxxxxxxxxx^C
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_Group
 key xxxxxxxxxx^C
 pool SDM_POOL_1
 acl 101
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_OUTSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Ethernet1
 description $ETH-WAN$$FW_INSIDE$
 ip address dhcp client-id Ethernet1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 crypto map SDM_CMAP_1
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.54.1 192.168.54.20
ip route 192.168.1.0 255.255.255.0 Ethernet1
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.54.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.1
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.3
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.4
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.5
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.6
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.7
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.8
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.9
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.10
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.11
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.12
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.13
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.14
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.15
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.16
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.17
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.18
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.19
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.20
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit tcp any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CWelcome to xxxxxxxxxx^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end


And...

xxxxxxxxx#show ip http server all
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: local
HTTP server access class: 0
HTTP server base path:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 1
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Disabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128
-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

HTTP server application session modules:
 Session module Name  Handle Status   Secure-status  Description
HTTP_IFS              1      Active   Active         HTTP based IOS File Server

WEB_EXEC              2      Active   Active         HTTP based IOS EXEC Server

HOME_PAGE             3      Active   Active         IOS Homepage Server

http_ezsetup          4      Active   Active         HTTP EZSETUP Server

IPS_IDCONF            5      Active   Active         IOS IPS IDCONF Server

IPS_SDEE              6      Active   Active         IOS IPS SDEE Server

EzVPN-Web-Intercept   7      Active   Active         EzVPN Web Intercept URL Han
dler
tti-petitioner        8      Active   Active         TTI Petitioner



HTTP server current connections:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes


HTTP server statistics:
Accepted connections total: 0


HTTP server history:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes  end-time

Hey Guys, I ran it from the beginning anf it now works secure.... I would like to split the point of thats ok with you both.....

Thanks a million, it's great to learn from guys like you!
I appreciate it!

Glad to head it works!
Cheers!