Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to properly configure Cisco 2811 router for internal access via SDM or SSH

Posted on 2008-10-10
14
Medium Priority
?
1,492 Views
Last Modified: 2012-06-22
How do I configure a router for internal access correctly using SDM or SSH? Here is the config. I can access externally however would I assign an internal address to the open interface and connect it to the switch?  I have seen the suggestion of a vlan interface. Any help is appreciated

Using 1770 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname blah2811
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.124-8a.bin
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 XXXXX
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip domain name blah.com
!
!
!
!
username barf password 7 XXX
!
!
!
!
!
interface Multilink1
 ip address 144.223.15.58 255.255.255.252
 ip access-group 100 in
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 62.183.246.130 255.255.255.192
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description PL518525-001
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description PL518525-002
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
ip route 0.0.0.0 0.0.0.0  144.223.15.58
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit tcp any host 62.183.246.130 eq telnet
access-list 100 deny   ip any host 62.183.246.130
access-list 100 permit ip any any
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:jbuddy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 4
14 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22689534


Looks like you almost have it, you have the following;

no ip http server
ip http access-class 23
ip http authentication local

Should be

ip http server   (you had no ip http server)
ip http access-class 23   (this refences the source address where you can connect from)
ip http authentication local  (user accounts must be defined in IOS or locally on the router)
access-list 23 permit 10.10.10.0 0.0.0.7  (this means you can connect form network 10.10.10.0 255.255.255.248

You need an interface connected to your backend(rfc1918 space) here, could be in the same network 10.10.10.0 255.255.255.248
or it can be in a different network and the packets are routed to the inside interface.


harbor235 ;}
0
 

Author Comment

by:jbuddy
ID: 22689741
Thanks, almost there

So what command should I run to enable these?

Thanks again
0
 

Author Comment

by:jbuddy
ID: 22691080
Also by interface should I connect a cable to the interface FastEthernet0/1 and assign it to an internal ip?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 32

Expert Comment

by:harbor235
ID: 22691470

What does your internal (inside)  network look like? Where are you going to launch a http seession from?

harbor235 :]
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22692544

Yes, I would attach a cable to f0/1 and assign it an IP in teh network 10.10.10.0 255.255.255.248 if you can.

harbor235 ;}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 1500 total points
ID: 22693094
Nobody mentioned the SSH setup though...
The commands for SSH setup involve this (assuming you're using the same clients to connect as in access-list 23 from above)
crypto key generate rsa general mod 1024
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
end

Cheers!
0
 

Author Comment

by:jbuddy
ID: 22703667
Hi Everyone,

Thanks for the info. I got everything completed on Friday. I am just wondering about the security implications now.  The inside interface has an ip on the internal network and I can start a SSH session internally.  I unplugged it just because I was not sure if the router was compramised whether someone could then get into the internal network bypassing the firewalls.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22703810
No, that's not the case. SSH is terminated on whatever interface it comes in on and there's no way for it to go past the router unless you have it forwarded (which you don't). SSH is very secure.
Cheers!
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22704011
jbuddy,

Remember you are using an access-list (like access-list 23) to restrict the traffic that is allowed to connect to your device via ssh, http, or https, whatever the connection method. Also, you have additional control
in the case you state if your insid enetwork gets compromised to require a username and password to gain access to the router. This further enhances security, hopefully you do not have one username and password for teh enture network (not saecure). I  would also restrict traffic from any outside source from connecting to my router directly(create an access-list that denies traffic directly to the router IPs, enforce on the outside interface, this is a good place for anti-spoofing as well), the only IP(s) that can connect are inside IP(s) (perhaps one trusted inside host, no need to make it an entire network unless you have to).

Also remember, this is a router so this device will forward all traaffic to it's proper destination as long as its in it's routing table and it is not tole to filter it.

So while no security posture elimates the risk it can drastically reduce the risk, ther eare more things you can do, hopefullt this will get you started.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22708707
All good points for sure. :)
Let us know if you need more info.
Cheers!
0
 

Author Comment

by:jbuddy
ID: 22713482
Thanks for the help, however placing that ip on the other interface actually caused all kinds of problems with the network. Came into work this morning and systems were having issues connecting so unplugged that interface and everything was fine. Still diagnosing but will not place on network anytime soon.  Is there another method you would recommend?

Thanks
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22713624


What IP did you add? How do the systems route outbound now? The IP you add should not overlapp any other IPs assigned for gateway devices. You need to provide additional information about your internal network configuration.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713650
Intersting... can you please post your new config so I can take a look?
0
 

Author Closing Comment

by:jbuddy
ID: 31505135
blah
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question