Solved

I cannot PING or TELNET into my cisco routers from the internet

Posted on 2008-10-19
15
514 Views
Last Modified: 2010-04-21
Hi there, I am a newbie to Cisco equipment, I have got a basic handle on how they work, but I have a problem with a few of them, I cannot ping or telnet into some of them from the internet. I need to have this enabled for another program to function correctly
I also need to be able to VPN out from within the network.

They all had the same configuration file entered onto them, but they are not all working the same, (very strange I know)
Is the a series of commands I can enter from the config interface that will allow me to enable these features?

Many Thanks

Jolian
0
Comment
Question by:jolianharrison
  • 7
  • 5
  • 3
15 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22752112
Hello jolianharrison,  
      Can you post the sanitized config? I am assuming you have already entered transport input telnet but you did not permit telnet in inbound ACL.

Regards
0
 

Author Comment

by:jolianharrison
ID: 22752807
This is the config from one of the routers that I can ping and telnet into:

Building configuration...
 
Current configuration : 6341 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname blah
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 .
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero ip cef !
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   dns-server 213.140.133.43 213.140.133.42
   default-router 192.168.0.1
!
!
ip domain name blahblah.com
ip name-server 213.140.133.43
ip name-server 213.140.133.42
ip port-map user-protocol--2 port tcp 3389 ip port-map user-protocol--1 port tcp 3542 !
!
crypto pki trustpoint TP-self-signed-754785768  enrollment selfsigned  subject-name cn=IOS-Self-Signed-Certificate-754785768
 revocation-check none
 rsakeypair TP-self-signed-754785768
!
!
crypto pki certificate chain TP-self-signed-754785768  certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37353437 38353736 38301E17 0D303230 34323031 38353235
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 34373835
  37363830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  BE6D4243 914F906B AECDA4A3 F1F7FBD9 31CDCB76 8F1991DF 9F80D158 010601AA
  5F795673 D80959C3 5E99D286 2C6C40EF 718C141A BF580F2F BEDEDCFB 6F2B15A5
  6669CF37 CE4F7142 F76BE6C7 7110966D AE76B0C9 765DB2CC 35FF654A 8FC997F0
  C691FF67 75682EB9 5C592B66 9A1E0E62 72497D55 4B3CC015 1AAF8CC3 350B0767
  02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D
  11041730 15821361 786F732E 62617272 6F6F6D62 61722E63 6F6D301F 0603551D
  23041830 16801483 575F8C0D CD2E5942 9C586B62 2AE07D92 5D88C030 1D060355
  1D0E0416 04148357 5F8C0DCD 2E59429C 586B622A E07D925D 88C0300D 06092A86
  4886F70D 01010405 00038181 0079112B F1022317 AC3565FD FBB6CB3B 85C1C6C0
  17DF80AD 019890DD DFFA9DD5 6CCBA880 DAF2CA5C 9907A128 AC87429A 12000E97
  AFCA1CEB BC61C3D5 7693E080 B4A7E556 F04F518A 0380F7F7 32ED7E73 F3E82977
  B0ABFF4F 200D3F78 F633A4FA 2468E338 D035A9AF 06040A3A 91BF6DCC 369603D5
  EBB6F7FD EA72899C 688E2405 AB
  quit
username admin privilege 15 secret 5 archive  log config
  hidekeys
!
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$  ip address 192.168.0.1 255.255.255.0  ip nat inside  ip virtual-reassembly  ip tcp adjust-mss 1452 !
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname adsl@adslconnect.co.uk  ppp chap password 0 bloomindale !
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.0.2 61 interface Dialer0 61 ip nat inside source static tcp 192.168.0.2 3524 interface Dialer0 3524 ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389 ip nat inside source static tcp 192.168.0.2 5631 interface Dialer0 5631 ip nat inside source static udp 192.168.0.2 5632 interface Dialer0 5632 ip nat inside source static tcp 192.168.0.2 143 interface Dialer0 143 ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443 ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80 ip nat inside source static tcp 192.168.0.2 3542 interface Dialer0 3542 !
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=0 access-list 101 permit ip any host 192.168.0.2 access-list 102 remark SDM_ACL Category=0 access-list 102 permit ip any host 192.168.0.2 access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 192.168.0.2 access-list 104 remark SDM_ACL Category=0 access-list 104 permit ip any host 192.168.0.2 access-list 105 remark SDM_ACL Category=0 access-list 105 permit ip any host 192.168.0.2 access-list 106 remark SDM_ACL Category=0 access-list 106 permit ip any host 192.168.0.2 access-list 107 remark SDM_ACL Category=0 access-list 107 permit ip any host 192.168.0.2 dialer-list 1 protocol ip permit no cdp run !
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for  one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level of 15 using the following command.
 
username  privilege 15 secret 0
 
Replace  and  with the username and password you want to use.
 
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C !
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

-----------------------------------------------------------------------------------------------------------------------------------------------

And this is the config from one of the machine that I cannot telnet or ping into, they are all the same series router and the ADSL provider is the same for all the routers, they have all been set up the same way, I simply changed the username and password for the ADSL connection before loading the config to each box:

Building configuration...
 
Current configuration : 9462 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname blah
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 .
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 !
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   dns-server 213.140.133.43 213.140.133.42
   default-router 192.168.0.1
!
!
ip port-map user-protocol--2 port tcp 3389 ip port-map user-protocol--1 port tcp 3542 ip domain name blahblah.com ip name-server 213.140.133.43 ip name-server 213.140.133.42 !
!
crypto pki trustpoint TP-self-signed-46823576  enrollment selfsigned  subject-name cn=IOS-Self-Signed-Certificate-46823576
 revocation-check none
 rsakeypair TP-self-signed-46823576
!
!
crypto pki certificate chain TP-self-signed-46823576  certificate self-signed 01
  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34363832 33353736 301E170D 30323039 30323132 31393532
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343638 32333537
  3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A3AD
  65A08D3F 3BA3207A 0BA148D5 290C1130 4E3A3224 03B2FA33 83ADFCF2 D1773CD8
  107E7C6C E8F2131B 5D010E10 B48A5AB3 84E78EB0 FEEA6AE5 302E1374 CCC356AE
  2AAC9A95 F5956782 0DDDFB27 ED15B3F7 2457074E 4FFC39C2 433BBAC4 F6A8CAC5
  BA90D5AD DEB7FF49 1325EC75 2F4A59A7 002FE55C 1A730077 AC652570 A1630203
  010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 551D1104
  17301582 1361786F 732E6261 72726F6F 6D626172 2E636F6D 301F0603 551D2304
  18301680 14606FAD 8FE76C79 A140AAFC DA544CAA 21847EED C3301D06 03551D0E
  04160414 606FAD8F E76C79A1 40AAFCDA 544CAA21 847EEDC3 300D0609 2A864886
  F70D0101 04050003 81810091 71EB6F30 A02B8C1C 1327715B DC379CE2 A46CEDEC
  3480BC2F 80B58E14 930D6647 D399CC1E 6949B77D 307A6A17 0A897511 C2D9E706
  2C86A4C8 66B2726F 920FC580 EB619703 F140FC03 BB722116 C564632F D54BAE8B
  2093017F FE48AE3C 75E4AD23 ABBC82BF 710268A9 9499342B E6C5B040 9081F964
  A371D35A 561D89B7 EB304E
  quit
username admin privilege 15 secret 5 archive  log config
  hidekeys
!
!
class-map type inspect match-all sdm-nat-pcanywheredata-1  match access-group 106  match protocol pcanywheredata class-map type inspect match-all sdm-nat-http-1  match access-group 102  match protocol http class-map type inspect match-all sdm-nat-user-protocol--2-1  match access-group 107  match protocol user-protocol--2 class-map type inspect match-all sdm-nat-user-protocol--1-1  match access-group 101  match protocol user-protocol--1 class-map type inspect match-all sdm-nat-pcanywherestat-1  match access-group 105  match protocol pcanywherestat class-map type inspect match-all sdm-nat-imap-1  match access-group 104  match protocol imap class-map type inspect match-any sdm-cls-insp-traffic  match protocol cuseeme  match protocol dns  match protocol ftp  match protocol h323  match protocol https  match protocol icmp  match protocol imap  match protocol pop3  match protocol netshow  match protocol shell  match protocol realmedia  match protocol rtsp  match protocol smtp extended  match protocol sql-net  match protocol streamworks  match protocol tftp  match protocol vdolive  match protocol tcp  match protocol udp class-map type inspect match-all sdm-insp-traffic  match class-map sdm-cls-insp-traffic class-map type inspect match-any sdm-cls-icmp-access  match protocol icmp  match protocol tcp  match protocol udp class-map type inspect match-all sdm-icmp-access  match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src  match access-group 100 class-map type inspect match-all sdm-protocol-http  match protocol http class-map type inspect match-all sdm-nat-https-1  match access-group 103  match protocol https !
!
policy-map type inspect sdm-permit-icmpreply  class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1  class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-imap-1
  inspect
 class type inspect sdm-nat-pcanywherestat-1
  inspect
 class type inspect sdm-nat-pcanywheredata-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class class-default
policy-map type inspect sdm-permit
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone  service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone  service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security sdm-zp-out-self source out-zone destination self  service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone  service-policy type inspect sdm-inspect !
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 no snmp trap link-status
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$  ip address 192.168.0.1 255.255.255.0  ip nat inside  ip virtual-reassembly  zone-member security in-zone  ip tcp adjust-mss 1452 !
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname adsl@adslconnect.co.uk  ppp chap password 0 bloomindale !
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.0.2 61 interface Dialer0 61 ip nat inside source static tcp 192.168.0.2 3524 interface Dialer0 3524 ip nat inside source static tcp 192.168.0.2 3542 interface Dialer0 3542 ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80 ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443 ip nat inside source static tcp 192.168.0.2 143 interface Dialer0 143 ip nat inside source static udp 192.168.0.2 5632 interface Dialer0 5632 ip nat inside source static tcp 192.168.0.2 5631 interface Dialer0 5631 ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389 !
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=0 access-list 101 permit ip any host 192.168.0.2 access-list 102 remark SDM_ACL Category=0 access-list 102 permit ip any host 192.168.0.2 access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 192.168.0.2 access-list 104 remark SDM_ACL Category=0 access-list 104 permit ip any host 192.168.0.2 access-list 105 remark SDM_ACL Category=0 access-list 105 permit ip any host 192.168.0.2 access-list 106 remark SDM_ACL Category=0 access-list 106 permit ip any host 192.168.0.2 access-list 107 remark SDM_ACL Category=0 access-list 107 permit ip any host 192.168.0.2 dialer-list 1 protocol ip permit no cdp run !
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for  one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to use.
 
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C !
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !

 no inservice


The size of the config is different on the 2 machines even though it was from the same original file, there did seem to be some variation in the way that the machines reloaded after the config went in. You have to remember that I am a real newbie with Cisco, I need to get the TELNET and PING enabled on these machines to give me some breathing space, then I'm taking a course on the matter.


Jolian

0
 
LVL 3

Expert Comment

by:leonjs
ID: 22752869
By default in SDM access-list 100 is associated with Telnet/SSH below is what your permitting . . .


access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any

and

access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22752872
I would modify those to ip any any it you want to telnet/ssh from any remote location or specify your ip ranges in there if you want to do from inside only
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22752873
Jolian,
    Can you paste the configs in a code snippet? Commands and lines are all messed up :(
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22752889
To VPN out you might consider in SDM modifing your confguration to look this way, i attached a screen shot
0
 

Author Comment

by:jolianharrison
ID: 22752897
This is the first code snippet, this is from one of the routers that I can telnet and ping into

Jolian

second one on the way
Building configuration...

 

Current configuration : 6341 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname axos

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 .

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero ip cef !

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.0.0 255.255.255.0

   dns-server 212.139.132.42 212.139.132.41 

   default-router 192.168.0.1

!

!

ip domain name blahblah.com

ip name-server 212.139.132.42

ip name-server 212.139.132.41

ip port-map user-protocol--2 port tcp 3389 ip port-map user-protocol--1 port tcp 3542 !

!

crypto pki trustpoint TP-self-signed-754785768  enrollment selfsigned  subject-name cn=IOS-Self-Signed-Certificate-754785768

 revocation-check none

 rsakeypair TP-self-signed-754785768

!

!

crypto pki certificate chain TP-self-signed-754785768  certificate self-signed 01

  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 37353437 38353736 38301E17 0D303230 34323031 38353235

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 34373835

  37363830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  BE6D4243 914F906B AECDA4A3 F1F7FBD9 31CDCB76 8F1991DF 9F80D158 010601AA

  5F795673 D80959C3 5E99D286 2C6C40EF 718C141A BF580F2F BEDEDCFB 6F2B15A5

  6669CF37 CE4F7142 F76BE6C7 7110966D AE76B0C9 765DB2CC 35FF654A 8FC997F0

  C691FF67 75682EB9 5C592B66 9A1E0E62 72497D55 4B3CC015 1AAF8CC3 350B0767

  02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D

  11041730 15821361 786F732E 62617272 6F6F6D62 61722E63 6F6D301F 0603551D

  23041830 16801483 575F8C0D CD2E5942 9C586B62 2AE07D92 5D88C030 1D060355

  1D0E0416 04148357 5F8C0DCD 2E59429C 586B622A E07D925D 88C0300D 06092A86

  4886F70D 01010405 00038181 0079112B F1022317 AC3565FD FBB6CB3B 85C1C6C0

  17DF80AD 019890DD DFFA9DD5 6CCBA880 DAF2CA5C 9907A128 AC87429A 12000E97

  AFCA1CEB BC61C3D5 7693E080 B4A7E556 F04F518A 0380F7F7 32ED7E73 F3E82977

  B0ABFF4F 200D3F78 F633A4FA 2468E338 D035A9AF 06040A3A 91BF6DCC 369603D5

  EBB6F7FD EA72899C 688E2405 AB

  quit

username admin privilege 15 secret 5 $ archive  log config

  hidekeys

!

! 

!

!

!

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 description $ES_WAN$

 pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$  ip address 192.168.0.1 255.255.255.0  ip nat inside  ip virtual-reassembly  ip tcp adjust-mss 1452 !

interface Dialer0

 description $FW_OUTSIDE$

 ip address negotiated

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap callin

 ppp chap hostname adsl@adslconnect.co.uk  ppp chap password 0 bloomindale !

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.0.2 61 interface Dialer0 61 ip nat inside source static tcp 192.168.0.2 3524 interface Dialer0 3524 ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389 ip nat inside source static tcp 192.168.0.2 5631 interface Dialer0 5631 ip nat inside source static udp 192.168.0.2 5632 interface Dialer0 5632 ip nat inside source static tcp 192.168.0.2 143 interface Dialer0 143 ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443 ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80 ip nat inside source static tcp 192.168.0.2 3542 interface Dialer0 3542 !

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=0 access-list 101 permit ip any host 192.168.0.2 access-list 102 remark SDM_ACL Category=0 access-list 102 permit ip any host 192.168.0.2 access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 192.168.0.2 access-list 104 remark SDM_ACL Category=0 access-list 104 permit ip any host 192.168.0.2 access-list 105 remark SDM_ACL Category=0 access-list 105 permit ip any host 192.168.0.2 access-list 106 remark SDM_ACL Category=0 access-list 106 permit ip any host 192.168.0.2 access-list 107 remark SDM_ACL Category=0 access-list 107 permit ip any host 192.168.0.2 dialer-list 1 protocol ip permit no cdp run !

!

control-plane

!

banner exec ^CC

% Password expiration warning.

-----------------------------------------------------------------------

 

Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for  one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session.

 

It is strongly suggested that you create a new username with a privilege level of 15 using the following command.

 

username  privilege 15 secret 0 

 

Replace  and  with the username and password you want to use.

 

-----------------------------------------------------------------------

^C

banner login ^CCAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C !

line con 0

 login local

 no modem enable

line aux 0

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler max-task-time 5000

end

Open in new window

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Expert Comment

by:leonjs
ID: 22752916
In case that screen shot did make it heres a direct link
http://www.focusu.com/gallery/data/bbf94b34eb32268ada57a3be5062fe7d/800_p21336.jpeg
 
0
 

Author Comment

by:jolianharrison
ID: 22752928
This is from one that I cannot PING/TELNET into
(secong snippet)


Building configuration...

 

Current configuration : 9462 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname axos

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 .

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 !

ip dhcp pool sdm-pool1

   import all

   network 192.168.0.0 255.255.255.0

   dns-server 212.139.132.42 212.139.132.41 

   default-router 192.168.0.1

!

!

ip port-map user-protocol--2 port tcp 3389 ip port-map user-protocol--1 port tcp 3542 ip domain name barroombar.com ip name-server 212.139.132.42 ip name-server 212.139.132.41 !

!

crypto pki trustpoint TP-self-signed-46823576  enrollment selfsigned  subject-name cn=IOS-Self-Signed-Certificate-46823576

 revocation-check none

 rsakeypair TP-self-signed-46823576

!

!

crypto pki certificate chain TP-self-signed-46823576  certificate self-signed 01

  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34363832 33353736 301E170D 30323039 30323132 31393532

  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53

  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343638 32333537

  3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A3AD

  65A08D3F 3BA3207A 0BA148D5 290C1130 4E3A3224 03B2FA33 83ADFCF2 D1773CD8

  107E7C6C E8F2131B 5D010E10 B48A5AB3 84E78EB0 FEEA6AE5 302E1374 CCC356AE

  2AAC9A95 F5956782 0DDDFB27 ED15B3F7 2457074E 4FFC39C2 433BBAC4 F6A8CAC5

  BA90D5AD DEB7FF49 1325EC75 2F4A59A7 002FE55C 1A730077 AC652570 A1630203

  010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 551D1104

  17301582 1361786F 732E6261 72726F6F 6D626172 2E636F6D 301F0603 551D2304

  18301680 14606FAD 8FE76C79 A140AAFC DA544CAA 21847EED C3301D06 03551D0E

  04160414 606FAD8F E76C79A1 40AAFCDA 544CAA21 847EEDC3 300D0609 2A864886

  F70D0101 04050003 81810091 71EB6F30 A02B8C1C 1327715B DC379CE2 A46CEDEC

  3480BC2F 80B58E14 930D6647 D399CC1E 6949B77D 307A6A17 0A897511 C2D9E706

  2C86A4C8 66B2726F 920FC580 EB619703 F140FC03 BB722116 C564632F D54BAE8B

  2093017F FE48AE3C 75E4AD23 ABBC82BF 710268A9 9499342B E6C5B040 9081F964

  A371D35A 561D89B7 EB304E

  quit

username admin privilege 15 secret 5 $10OvI50 archive  log config

  hidekeys

!

!

class-map type inspect match-all sdm-nat-pcanywheredata-1  match access-group 106  match protocol pcanywheredata class-map type inspect match-all sdm-nat-http-1  match access-group 102  match protocol http class-map type inspect match-all sdm-nat-user-protocol--2-1  match access-group 107  match protocol user-protocol--2 class-map type inspect match-all sdm-nat-user-protocol--1-1  match access-group 101  match protocol user-protocol--1 class-map type inspect match-all sdm-nat-pcanywherestat-1  match access-group 105  match protocol pcanywherestat class-map type inspect match-all sdm-nat-imap-1  match access-group 104  match protocol imap class-map type inspect match-any sdm-cls-insp-traffic  match protocol cuseeme  match protocol dns  match protocol ftp  match protocol h323  match protocol https  match protocol icmp  match protocol imap  match protocol pop3  match protocol netshow  match protocol shell  match protocol realmedia  match protocol rtsp  match protocol smtp extended  match protocol sql-net  match protocol streamworks  match protocol tftp  match protocol vdolive  match protocol tcp  match protocol udp class-map type inspect match-all sdm-insp-traffic  match class-map sdm-cls-insp-traffic class-map type inspect match-any sdm-cls-icmp-access  match protocol icmp  match protocol tcp  match protocol udp class-map type inspect match-all sdm-icmp-access  match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src  match access-group 100 class-map type inspect match-all sdm-protocol-http  match protocol http class-map type inspect match-all sdm-nat-https-1  match access-group 103  match protocol https !

!

policy-map type inspect sdm-permit-icmpreply  class type inspect sdm-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1  class type inspect sdm-nat-user-protocol--1-1

  inspect

 class type inspect sdm-nat-http-1

  inspect

 class type inspect sdm-nat-https-1

  inspect

 class type inspect sdm-nat-imap-1

  inspect

 class type inspect sdm-nat-pcanywherestat-1

  inspect

 class type inspect sdm-nat-pcanywheredata-1

  inspect

 class type inspect sdm-nat-user-protocol--2-1

  inspect

 class class-default

policy-map type inspect sdm-inspect

 class type inspect sdm-invalid-src

  drop log

 class type inspect sdm-insp-traffic

  inspect

 class type inspect sdm-protocol-http

  inspect

 class class-default

policy-map type inspect sdm-permit

 class class-default

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone  service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone  service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security sdm-zp-out-self source out-zone destination self  service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone  service-policy type inspect sdm-inspect ! 

!

!

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 description $ES_WAN$

 no snmp trap link-status

 pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$  ip address 192.168.0.1 255.255.255.0  ip nat inside  ip virtual-reassembly  zone-member security in-zone  ip tcp adjust-mss 1452 !

interface Dialer0

 description $FW_OUTSIDE$

 ip address negotiated

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap callin

 ppp chap hostname adsl@dslconnect.co.uk  ppp chap password 0 bloomingdale !

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload 

ip nat inside source static tcp 192.168.0.2 61 interface Dialer0 61 

ip nat inside source static tcp 192.168.0.2 3524 interface Dialer0 3524 

ip nat inside source static tcp 192.168.0.2 3542 interface Dialer0 3542 

ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80 

ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443 

ip nat inside source static tcp 192.168.0.2 143 interface Dialer0 143 

ip nat inside source static udp 192.168.0.2 5632 interface Dialer0 5632 

ip nat inside source static tcp 192.168.0.2 5631 interface Dialer0 5631 

ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389 !

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255 

access-list 100 remark SDM_ACL Category=128 

access-list 100 permit ip host 255.255.255.255 any 

access-list 100 permit ip 127.0.0.0 0.255.255.255 any 

access-list 101 remark SDM_ACL Category=0 

access-list 101 permit ip any host 192.168.0.2 

access-list 102 remark SDM_ACL Category=0 

access-list 102 permit ip any host 192.168.0.2 

access-list 103 remark SDM_ACL Category=0 

access-list 103 permit ip any host 192.168.0.2 

access-list 104 remark SDM_ACL Category=0 

access-list 104 permit ip any host 192.168.0.2 

access-list 105 remark SDM_ACL Category=0 

access-list 105 permit ip any host 192.168.0.2 

access-list 106 remark SDM_ACL Category=0 

access-list 106 permit ip any host 192.168.0.2 

access-list 107 remark SDM_ACL Category=0 

access-list 107 permit ip any host 192.168.0.2 dialer-list 1 protocol ip permit no cdp run !

!

!

control-plane

!

banner exec ^CC

% Password expiration warning.

-----------------------------------------------------------------------

 

Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for  one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session.

 

It is strongly suggested that you create a new username with a privilege level of 15 using the following command.

 

username <myuser> privilege 15 secret 0 <mypassword>

 

Replace <myuser> and <mypassword> with the username and password you want to use.

 

-----------------------------------------------------------------------

^C

banner login ^CCAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C !

line con 0

 login local

 no modem enable

line aux 0

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler max-task-time 5000

!

webvpn context Default_context

 ssl authenticate verify all

 !
 

 no inservice

Open in new window

0
 

Author Comment

by:jolianharrison
ID: 22752950
Also, some of the routers do not have the SDM console installed, I assume that I can just install it from the cd and then modify the rules on screen, (I dont want to kill the router)

So what you are saying is that access list 100 is for telnet, and if I include the IP addresses that I want to ping from then that will open it up?
will that also do ping requests as well?

Jolian
0
 
LVL 3

Accepted Solution

by:
leonjs earned 250 total points
ID: 22752977
add these for ping with the exception of my remarks
 allow pings into the network
 access-list 100 permit icmp any any echo
 allow ping responses
 access-list 100 permit icmp any any echo-reply
 allow ICMP source-quench
 access-list 100 permit icmp any any source-quench
 allow path MTU discovery
 access-list 100 permit icmp any any packet-too-big
 allow time-exceeded, which is useful for traceroute
 access-list 100 permit icmp any any time-exceeded
 deny all other ICMP packets
 access-list 100 deny icmp any any
 
0
 

Author Comment

by:jolianharrison
ID: 22752985
righto, will log into the router now and add the commands, give me 20 minutes or so

Jolian
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 250 total points
ID: 22753057
In my opinion, the issue is related to security zones. It would be easy to figure it out if it was a CBAC config. As I can narrow down in still messy config, following adjustment may work

policy-map type inspect sdm-permit
   class telnetndping
      match protocol telnet
      match protocol icmp
0
 

Author Comment

by:jolianharrison
ID: 22771412
Thanks guys, it was a combination of both of these things that put me on the right track, all ok now

I'll split the points evenly

Many Thanks

Jolian
0
 

Author Closing Comment

by:jolianharrison
ID: 31507575
Thanks for the help on this, it put me on the right track

Many Thanks

Jolian
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now