• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1498
  • Last Modified:

How to properly configure Cisco 2811 router for internal access via SDM or SSH

How do I configure a router for internal access correctly using SDM or SSH? Here is the config. I can access externally however would I assign an internal address to the open interface and connect it to the switch?  I have seen the suggestion of a vlan interface. Any help is appreciated

Using 1770 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname blah2811
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.124-8a.bin
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 XXXXX
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip domain name blah.com
!
!
!
!
username barf password 7 XXX
!
!
!
!
!
interface Multilink1
 ip address 144.223.15.58 255.255.255.252
 ip access-group 100 in
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 62.183.246.130 255.255.255.192
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description PL518525-001
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description PL518525-002
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
ip route 0.0.0.0 0.0.0.0  144.223.15.58
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit tcp any host 62.183.246.130 eq telnet
access-list 100 deny   ip any host 62.183.246.130
access-list 100 permit ip any any
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
0
jbuddy
Asked:
jbuddy
  • 5
  • 5
  • 4
1 Solution
 
harbor235Commented:


Looks like you almost have it, you have the following;

no ip http server
ip http access-class 23
ip http authentication local

Should be

ip http server   (you had no ip http server)
ip http access-class 23   (this refences the source address where you can connect from)
ip http authentication local  (user accounts must be defined in IOS or locally on the router)
access-list 23 permit 10.10.10.0 0.0.0.7  (this means you can connect form network 10.10.10.0 255.255.255.248

You need an interface connected to your backend(rfc1918 space) here, could be in the same network 10.10.10.0 255.255.255.248
or it can be in a different network and the packets are routed to the inside interface.


harbor235 ;}
0
 
jbuddyAuthor Commented:
Thanks, almost there

So what command should I run to enable these?

Thanks again
0
 
jbuddyAuthor Commented:
Also by interface should I connect a cable to the interface FastEthernet0/1 and assign it to an internal ip?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
harbor235Commented:

What does your internal (inside)  network look like? Where are you going to launch a http seession from?

harbor235 :]
0
 
harbor235Commented:

Yes, I would attach a cable to f0/1 and assign it an IP in teh network 10.10.10.0 255.255.255.248 if you can.

harbor235 ;}
0
 
PugglewuggleCommented:
Nobody mentioned the SSH setup though...
The commands for SSH setup involve this (assuming you're using the same clients to connect as in access-list 23 from above)
crypto key generate rsa general mod 1024
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
end

Cheers!
0
 
jbuddyAuthor Commented:
Hi Everyone,

Thanks for the info. I got everything completed on Friday. I am just wondering about the security implications now.  The inside interface has an ip on the internal network and I can start a SSH session internally.  I unplugged it just because I was not sure if the router was compramised whether someone could then get into the internal network bypassing the firewalls.
0
 
PugglewuggleCommented:
No, that's not the case. SSH is terminated on whatever interface it comes in on and there's no way for it to go past the router unless you have it forwarded (which you don't). SSH is very secure.
Cheers!
0
 
harbor235Commented:
jbuddy,

Remember you are using an access-list (like access-list 23) to restrict the traffic that is allowed to connect to your device via ssh, http, or https, whatever the connection method. Also, you have additional control
in the case you state if your insid enetwork gets compromised to require a username and password to gain access to the router. This further enhances security, hopefully you do not have one username and password for teh enture network (not saecure). I  would also restrict traffic from any outside source from connecting to my router directly(create an access-list that denies traffic directly to the router IPs, enforce on the outside interface, this is a good place for anti-spoofing as well), the only IP(s) that can connect are inside IP(s) (perhaps one trusted inside host, no need to make it an entire network unless you have to).

Also remember, this is a router so this device will forward all traaffic to it's proper destination as long as its in it's routing table and it is not tole to filter it.

So while no security posture elimates the risk it can drastically reduce the risk, ther eare more things you can do, hopefullt this will get you started.

harbor235 ;}
0
 
PugglewuggleCommented:
All good points for sure. :)
Let us know if you need more info.
Cheers!
0
 
jbuddyAuthor Commented:
Thanks for the help, however placing that ip on the other interface actually caused all kinds of problems with the network. Came into work this morning and systems were having issues connecting so unplugged that interface and everything was fine. Still diagnosing but will not place on network anytime soon.  Is there another method you would recommend?

Thanks
0
 
harbor235Commented:


What IP did you add? How do the systems route outbound now? The IP you add should not overlapp any other IPs assigned for gateway devices. You need to provide additional information about your internal network configuration.

harbor235 ;}
0
 
PugglewuggleCommented:
Intersting... can you please post your new config so I can take a look?
0
 
jbuddyAuthor Commented:
blah
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 5
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now