Solved

Cisco SDM

Posted on 2008-10-03
8
982 Views
Last Modified: 2009-07-29
I have a question about the Security Device Manager (SDM). I have a remote router with an private IP address and I need to configure a VPN conection from my site (the central site) to the remote router site. How am I going to connect to the remote router through my DSL so that I can use SDM to configure the router? If I specify the private IP address of the remote router to connect in SDM, it will not work as it goes through my ISP and I am sure that they are using NAT/PAT. Is there workaround? or I need to have that router to be shipped to me and I can configure it locally with SDM? Thanks

PS. I looked at the FAQs on the Cisco site and it did not say anything about my issue.
0
Comment
Question by:netdoc01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 22634488
You can ask your provider to [temporarily] assign you a static NAT IP address to use to reach that device.

If that's not possible, ask them if they can identify the IP address assigned to that unit.  They may need to know the router's MAC address.

Absent those two options, you would need to be local to the device for configuration.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22634663
If that isn't possible, you could always give this a shot:

Some business grade internet connections will give you a username based DNS name, like if my username for my ISP was somecompany@myisp.com, they might give you a DNS like somecompany.dsl.myisp.com

If your with the same ISP as the remote site, get your public IP, download nmap, and do this command:

nmap -sP [your pub IP]

nmap will display your DNS name, and if your username is a part of it, just replace it with the username the other site uses.

Good luck.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22637063
Usually when configuring a router remotely the command line is used by connecting with SSH.
The SDM is a very clunky tool that by my standards is garbage.
I don't know how we got into a discussion about ISP DNS because it has nothing to do with the question.
You said your ISP uses NAT - what do you have to support this? Are you provided with a private address on the outside interface of the router instead of a public one?
Cheers! I look forward to helping!
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Expert Comment

by:dehmerl
ID: 22640996
You can do a

show ip interface brief

This will give you a list of all your interfaces and the IP address (if any) that they have. You maybe able to sort out from the IP address if it is a public or private one.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22641420
Assuming that your ISP is NOT using NAT, one option is to enable the http secure-server on the outside interface of the router. In this situation, you would be able to open the SDM securely (using SSL) from across the internet. While this is generally not recommended, it can be done. Just make sure you create (or add) and ACL rule to restrict traffic to the SDM to the IP address at your location so nobody can brute force your router through the SDM.
You need these commands:
ip http-secure server enable
no ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 149 permit tcp host <PUBLIC IP YOU WILL BE CONNECTING FROM> host <PUBILIC IP YOU WILL BE CONNECTING TO> eq https
interface
<OUTSIDE INTERFACE GOES HERE>
ip access-group 149 in

This will allow you to connect to the router securely with SSL which is encrypted over the internet. This means you must access the SDM with https:// in you web broswer OR check the Use HTTPS? option in the SDM launcher.
If this doesn't work, post the config and you IP addresses.
Cheers!

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22641432
Oops - replace
no ip http server
above with
no ip http server enable
Cheers!
0
 

Author Comment

by:netdoc01
ID: 22641896
Thanks for all your inputs. This is the situation.

My PC w/ SDM <-> My router (non Cisco)<->DSL cable<->My provider<-->Internet<->remote provider<->Cisco router (configure with PPPoE no VPN yet).

My router IP add is a public DHCP IP address (70.17.166.77) and my gateway is a private IP address (10.x.x.x) coming from the ISP. The remote site cannot ping my public IP address. In order to use my SDM to connect to the remote Cisco router, do I need to order an public IP address for my router and the remote Cisco router so that I can have a connection? My guess is yes.  

PS. most of the people don't like SDM but I want to test it myself.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22642139
You will need a static public address for the router you want to connect to. The access-list can be modified to allow a connection from anywhere even though it's less secure, but if it needs to be done, then it needs to be done.
Does that make sense?
Also, please post a config of the remote router if possible so I can make sure your commands are right.
BTW about the SDM... I think you'll abandon it soon after seeing it... it doesn't do what it's supposed to all the time, it adds bunches of lines to your config, it messes stuff up, and frankly it just plain sucks. I hate it. It's never caused me anything but trouble. I think it's the only GUI tool I've ever used that's actually harder to get things accomplished with than a command line.
Cheers! Let me know!
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
using BGP Attributes 2 119
How do I allow multiple VLANs internet access on a Cisco ASA 5505? 8 59
Configure BGP 22 38
Static Route on Cisco ISR 4431's 4 35
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question