Solved

How to properly configure Cisco 2811 router for internal access via SDM or SSH

Posted on 2008-10-10
14
1,476 Views
Last Modified: 2012-06-22
How do I configure a router for internal access correctly using SDM or SSH? Here is the config. I can access externally however would I assign an internal address to the open interface and connect it to the switch?  I have seen the suggestion of a vlan interface. Any help is appreciated

Using 1770 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname blah2811
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.124-8a.bin
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 XXXXX
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip domain name blah.com
!
!
!
!
username barf password 7 XXX
!
!
!
!
!
interface Multilink1
 ip address 144.223.15.58 255.255.255.252
 ip access-group 100 in
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 62.183.246.130 255.255.255.192
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description PL518525-001
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description PL518525-002
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
ip route 0.0.0.0 0.0.0.0  144.223.15.58
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit tcp any host 62.183.246.130 eq telnet
access-list 100 deny   ip any host 62.183.246.130
access-list 100 permit ip any any
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:jbuddy
  • 5
  • 5
  • 4
14 Comments
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


Looks like you almost have it, you have the following;

no ip http server
ip http access-class 23
ip http authentication local

Should be

ip http server   (you had no ip http server)
ip http access-class 23   (this refences the source address where you can connect from)
ip http authentication local  (user accounts must be defined in IOS or locally on the router)
access-list 23 permit 10.10.10.0 0.0.0.7  (this means you can connect form network 10.10.10.0 255.255.255.248

You need an interface connected to your backend(rfc1918 space) here, could be in the same network 10.10.10.0 255.255.255.248
or it can be in a different network and the packets are routed to the inside interface.


harbor235 ;}
0
 

Author Comment

by:jbuddy
Comment Utility
Thanks, almost there

So what command should I run to enable these?

Thanks again
0
 

Author Comment

by:jbuddy
Comment Utility
Also by interface should I connect a cable to the interface FastEthernet0/1 and assign it to an internal ip?
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility

What does your internal (inside)  network look like? Where are you going to launch a http seession from?

harbor235 :]
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility

Yes, I would attach a cable to f0/1 and assign it an IP in teh network 10.10.10.0 255.255.255.248 if you can.

harbor235 ;}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
Comment Utility
Nobody mentioned the SSH setup though...
The commands for SSH setup involve this (assuming you're using the same clients to connect as in access-list 23 from above)
crypto key generate rsa general mod 1024
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
end

Cheers!
0
 

Author Comment

by:jbuddy
Comment Utility
Hi Everyone,

Thanks for the info. I got everything completed on Friday. I am just wondering about the security implications now.  The inside interface has an ip on the internal network and I can start a SSH session internally.  I unplugged it just because I was not sure if the router was compramised whether someone could then get into the internal network bypassing the firewalls.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
No, that's not the case. SSH is terminated on whatever interface it comes in on and there's no way for it to go past the router unless you have it forwarded (which you don't). SSH is very secure.
Cheers!
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
jbuddy,

Remember you are using an access-list (like access-list 23) to restrict the traffic that is allowed to connect to your device via ssh, http, or https, whatever the connection method. Also, you have additional control
in the case you state if your insid enetwork gets compromised to require a username and password to gain access to the router. This further enhances security, hopefully you do not have one username and password for teh enture network (not saecure). I  would also restrict traffic from any outside source from connecting to my router directly(create an access-list that denies traffic directly to the router IPs, enforce on the outside interface, this is a good place for anti-spoofing as well), the only IP(s) that can connect are inside IP(s) (perhaps one trusted inside host, no need to make it an entire network unless you have to).

Also remember, this is a router so this device will forward all traaffic to it's proper destination as long as its in it's routing table and it is not tole to filter it.

So while no security posture elimates the risk it can drastically reduce the risk, ther eare more things you can do, hopefullt this will get you started.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
All good points for sure. :)
Let us know if you need more info.
Cheers!
0
 

Author Comment

by:jbuddy
Comment Utility
Thanks for the help, however placing that ip on the other interface actually caused all kinds of problems with the network. Came into work this morning and systems were having issues connecting so unplugged that interface and everything was fine. Still diagnosing but will not place on network anytime soon.  Is there another method you would recommend?

Thanks
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


What IP did you add? How do the systems route outbound now? The IP you add should not overlapp any other IPs assigned for gateway devices. You need to provide additional information about your internal network configuration.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Intersting... can you please post your new config so I can take a look?
0
 

Author Closing Comment

by:jbuddy
Comment Utility
blah
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now