Solved
How to allow SDM access from WAN, need the command line command...
Posted on 2008-10-02
Hello, I need SDM access from the WAN, I have Telnet access from the wan now and need the coomand to allow SDM on WAN..
Building configuration...
Current configuration : 5603 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXXXXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool pool1
network 192.168.1.0 255.255.255.0
domain-name XXXXXXXXXXXXXXXXXXXXXXXXXX
default-router 192.168.1.1
dns-server XXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username xxxx privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx privilege 15 secret 5 $1XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx privilege 15 secret 5 $1$Om30XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx privilege 15 secret 5 $1XXXXXXXXXXXXXXXXXXXXXXXXXX
username xxxx privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Group
key XXXXXXXXXXXXXXXXXXXXXXXXXX
pool SDM_POOL_1
acl 101
max-users 5
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_OUTSIDE$
ip address 192.168.1.1 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Ethernet1
description $ETH-WAN$$FW_INSIDE$
ip address dhcp client-id Ethernet1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
crypto map SDM_CMAP_1
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.54.1 192.168.54.20
ip route 192.168.1.0 255.255.255.0 Ethernet1
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.54.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.1
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.2
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.3
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.4
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.5
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.6
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.7
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.8
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.9
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.10
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.11
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.12
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.13
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.14
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.15
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.16
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.17
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.18
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.19
access-list 102 deny ip 192.168.54.0 0.0.0.255 host 192.168.54.20
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
banner login ^CWelcome to Shortess!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
exec-timeout 120 0
authorization exec local_author
login authentication local_authen
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end