Solved

How to properly configure Cisco 2811 router for internal access via SDM or SSH

Posted on 2008-10-10
14
1,483 Views
Last Modified: 2012-06-22
How do I configure a router for internal access correctly using SDM or SSH? Here is the config. I can access externally however would I assign an internal address to the open interface and connect it to the switch?  I have seen the suggestion of a vlan interface. Any help is appreciated

Using 1770 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname blah2811
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.124-8a.bin
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 XXXXX
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip domain name blah.com
!
!
!
!
username barf password 7 XXX
!
!
!
!
!
interface Multilink1
 ip address 144.223.15.58 255.255.255.252
 ip access-group 100 in
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 62.183.246.130 255.255.255.192
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description PL518525-001
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description PL518525-002
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
ip route 0.0.0.0 0.0.0.0  144.223.15.58
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit tcp any host 62.183.246.130 eq telnet
access-list 100 deny   ip any host 62.183.246.130
access-list 100 permit ip any any
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:jbuddy
  • 5
  • 5
  • 4
14 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22689534


Looks like you almost have it, you have the following;

no ip http server
ip http access-class 23
ip http authentication local

Should be

ip http server   (you had no ip http server)
ip http access-class 23   (this refences the source address where you can connect from)
ip http authentication local  (user accounts must be defined in IOS or locally on the router)
access-list 23 permit 10.10.10.0 0.0.0.7  (this means you can connect form network 10.10.10.0 255.255.255.248

You need an interface connected to your backend(rfc1918 space) here, could be in the same network 10.10.10.0 255.255.255.248
or it can be in a different network and the packets are routed to the inside interface.


harbor235 ;}
0
 

Author Comment

by:jbuddy
ID: 22689741
Thanks, almost there

So what command should I run to enable these?

Thanks again
0
 

Author Comment

by:jbuddy
ID: 22691080
Also by interface should I connect a cable to the interface FastEthernet0/1 and assign it to an internal ip?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 32

Expert Comment

by:harbor235
ID: 22691470

What does your internal (inside)  network look like? Where are you going to launch a http seession from?

harbor235 :]
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22692544

Yes, I would attach a cable to f0/1 and assign it an IP in teh network 10.10.10.0 255.255.255.248 if you can.

harbor235 ;}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22693094
Nobody mentioned the SSH setup though...
The commands for SSH setup involve this (assuming you're using the same clients to connect as in access-list 23 from above)
crypto key generate rsa general mod 1024
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
end

Cheers!
0
 

Author Comment

by:jbuddy
ID: 22703667
Hi Everyone,

Thanks for the info. I got everything completed on Friday. I am just wondering about the security implications now.  The inside interface has an ip on the internal network and I can start a SSH session internally.  I unplugged it just because I was not sure if the router was compramised whether someone could then get into the internal network bypassing the firewalls.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22703810
No, that's not the case. SSH is terminated on whatever interface it comes in on and there's no way for it to go past the router unless you have it forwarded (which you don't). SSH is very secure.
Cheers!
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22704011
jbuddy,

Remember you are using an access-list (like access-list 23) to restrict the traffic that is allowed to connect to your device via ssh, http, or https, whatever the connection method. Also, you have additional control
in the case you state if your insid enetwork gets compromised to require a username and password to gain access to the router. This further enhances security, hopefully you do not have one username and password for teh enture network (not saecure). I  would also restrict traffic from any outside source from connecting to my router directly(create an access-list that denies traffic directly to the router IPs, enforce on the outside interface, this is a good place for anti-spoofing as well), the only IP(s) that can connect are inside IP(s) (perhaps one trusted inside host, no need to make it an entire network unless you have to).

Also remember, this is a router so this device will forward all traaffic to it's proper destination as long as its in it's routing table and it is not tole to filter it.

So while no security posture elimates the risk it can drastically reduce the risk, ther eare more things you can do, hopefullt this will get you started.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22708707
All good points for sure. :)
Let us know if you need more info.
Cheers!
0
 

Author Comment

by:jbuddy
ID: 22713482
Thanks for the help, however placing that ip on the other interface actually caused all kinds of problems with the network. Came into work this morning and systems were having issues connecting so unplugged that interface and everything was fine. Still diagnosing but will not place on network anytime soon.  Is there another method you would recommend?

Thanks
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22713624


What IP did you add? How do the systems route outbound now? The IP you add should not overlapp any other IPs assigned for gateway devices. You need to provide additional information about your internal network configuration.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713650
Intersting... can you please post your new config so I can take a look?
0
 

Author Closing Comment

by:jbuddy
ID: 31505135
blah
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question