Simon Green
asked on
Cisco Router - Allow SDM access from External Interface
Hi Everyone,
I have a really annoying problem and im sure its something to do with the NAT'ing but just cant find where:(
I need to allow SDM & SSH Telnet access from Dialer0(Internet) and from any IP Address/Network.
Can anybody find why its not working? When i try and SSH or SDM it times out and tells me the connecting is not available. It works fine from inside interface.
Here is my Config:
Building configuration...
Current configuration : 5473 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <REMOVED>
!
username <REMOVED> privilege 15 password 7 <REMOVED>
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name victory-cctv.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
!
!
no ip bootp server
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 1/50
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address 77.86.xx.xx 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <REMOVED>
ppp chap password 7 <REMOVED>
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.2.20 3000 77.86.xx.xx 3000 extendable
ip nat inside source static udp 192.168.2.20 3333 77.86.xx.xx 3333 extendable
ip nat inside source static udp 192.168.2.30 3000 77.86.xx.xx 3000 extendable
ip nat inside source static udp 192.168.2.30 3333 77.86.xx.xx 3333 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip dns server
!
!
ip access-list extended sdm_dialer0_in
permit ip any any
ip access-list extended sdm_ethernet0_in
permit ip any any
logging trap debugging
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny ip 77.86.xx.xx 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 77.86.xx.xx eq 3333
access-list 101 permit udp any host 77.86.xx.xx eq 3000
access-list 101 permit udp any host 77.86.xx.xx eq 3333
access-list 101 permit udp any host 77.86.xx.xx eq 3000
access-list 101 permit udp host 213.249.130.100 eq domain host 77.86.xx.xx
access-list 101 permit udp host 212.50.160.100 eq domain host 77.86.xx.xx
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 permit icmp any host 77.86.xx.xx echo-reply
access-list 101 permit icmp any host 77.86.xx.xx time-exceeded
access-list 101 permit icmp any host 77.86.xx.xx unreachable
access-list 101 permit tcp any host 77.86.xx.xx eq 443
access-list 101 permit tcp any host 77.86.xx.xx eq 22
access-list 101 permit tcp any host 77.86.xx.xx eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CCAuthorised user only. If you have not been authorised to use this system, you must disconnect now. All activity on this system is recorded and monitored.^C
!
line con 0
login authentication local_authen
no modem enable
transport preferred all
transport output telnet
line aux 0
login authentication local_authen
transport preferred all
transport output telnet
line vty 0 4
access-class 102 in
exec-timeout 120 0
authorization exec local_author
login authentication local_authen
length 0
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
Many Thanks
Si
I have a really annoying problem and im sure its something to do with the NAT'ing but just cant find where:(
I need to allow SDM & SSH Telnet access from Dialer0(Internet) and from any IP Address/Network.
Can anybody find why its not working? When i try and SSH or SDM it times out and tells me the connecting is not available. It works fine from inside interface.
Here is my Config:
Building configuration...
Current configuration : 5473 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <REMOVED>
!
username <REMOVED> privilege 15 password 7 <REMOVED>
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name victory-cctv.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
!
!
no ip bootp server
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 1/50
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address 77.86.xx.xx 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <REMOVED>
ppp chap password 7 <REMOVED>
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.2.20 3000 77.86.xx.xx 3000 extendable
ip nat inside source static udp 192.168.2.20 3333 77.86.xx.xx 3333 extendable
ip nat inside source static udp 192.168.2.30 3000 77.86.xx.xx 3000 extendable
ip nat inside source static udp 192.168.2.30 3333 77.86.xx.xx 3333 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip dns server
!
!
ip access-list extended sdm_dialer0_in
permit ip any any
ip access-list extended sdm_ethernet0_in
permit ip any any
logging trap debugging
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny ip 77.86.xx.xx 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 77.86.xx.xx eq 3333
access-list 101 permit udp any host 77.86.xx.xx eq 3000
access-list 101 permit udp any host 77.86.xx.xx eq 3333
access-list 101 permit udp any host 77.86.xx.xx eq 3000
access-list 101 permit udp host 213.249.130.100 eq domain host 77.86.xx.xx
access-list 101 permit udp host 212.50.160.100 eq domain host 77.86.xx.xx
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 permit icmp any host 77.86.xx.xx echo-reply
access-list 101 permit icmp any host 77.86.xx.xx time-exceeded
access-list 101 permit icmp any host 77.86.xx.xx unreachable
access-list 101 permit tcp any host 77.86.xx.xx eq 443
access-list 101 permit tcp any host 77.86.xx.xx eq 22
access-list 101 permit tcp any host 77.86.xx.xx eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CCAuthorised user only. If you have not been authorised to use this system, you must disconnect now. All activity on this system is recorded and monitored.^C
!
line con 0
login authentication local_authen
no modem enable
transport preferred all
transport output telnet
line aux 0
login authentication local_authen
transport preferred all
transport output telnet
line vty 0 4
access-class 102 in
exec-timeout 120 0
authorization exec local_author
login authentication local_authen
length 0
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
Many Thanks
Si
>ip http access-class 2
Access-list 2 is restricting access to only the 192.168.2.0/24 subnet.
You need to allow your Internet IP:
conf t
ip access-list standard 2
no deny any
permit host x.x.x.x
deny any
Where x.x.x.x is the public IP address of the machine you are attempting to connect from.
Access-list 2 is restricting access to only the 192.168.2.0/24 subnet.
You need to allow your Internet IP:
conf t
ip access-list standard 2
no deny any
permit host x.x.x.x
deny any
Where x.x.x.x is the public IP address of the machine you are attempting to connect from.
Access list 2 would not account for lack of SSH connectivity though. That would only block http.
ASKER
Hi Sniper98G & JFrederick29,
Thanks for you responsed. I`ve removed the access list point from VTY but still no joy. On JFredericks29's comment, I need any host on the web to be able to access the router via SDM in that case would i just use:
permit host 0.0.0.0 ??
Many Thanks Guys
Si
Thanks for you responsed. I`ve removed the access list point from VTY but still no joy. On JFredericks29's comment, I need any host on the web to be able to access the router via SDM in that case would i just use:
permit host 0.0.0.0 ??
Many Thanks Guys
Si
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Im trying to connect to the routers static outside IP eg - 77.86.1.1 (Not the Real IP Address) and im doing this from a standard broadband connection.
I've tried from several differnet connection now with no Joy. If on the local lan connected to this router im able to access SDM & Telnet from either its internal ip 192.168.2.1 or its external IP 77.86.1.1.
Many Thanks Again
Si
I've tried from several differnet connection now with no Joy. If on the local lan connected to this router im able to access SDM & Telnet from either its internal ip 192.168.2.1 or its external IP 77.86.1.1.
Many Thanks Again
Si
Does SSH work from the inside? If not, are you running a crypto image? Did you generate SSH keys?
If you want telnet from the outside, add this as well:
ip access-list ext 101
1 permit tcp any host 77.86.xx.xx eq 23
If you want telnet from the outside, add this as well:
ip access-list ext 101
1 permit tcp any host 77.86.xx.xx eq 23
ASKER
Sorry meant SSH not Telnet:( Doh!
huh?
From your broadband PC, can you do this from a command prompt?
telnet 77.86.x.x 22
telnet 77.86.x.x 443
If not, humor me and add this as well:
conf t
ip inspect name SDM_LOW tcp router-traffic
telnet 77.86.x.x 22
telnet 77.86.x.x 443
If not, humor me and add this as well:
conf t
ip inspect name SDM_LOW tcp router-traffic
ASKER
Sorry. I put:
"I've tried from several differnet connection now with no Joy. If on the local lan connected to this router im able to access SDM & Telnet from either its internal ip 192.168.2.1 or its external IP 77.86.1.1"
But Meant "Able to Access SDM & SSH from either"
Cheers
si
"I've tried from several differnet connection now with no Joy. If on the local lan connected to this router im able to access SDM & Telnet from either its internal ip 192.168.2.1 or its external IP 77.86.1.1"
But Meant "Able to Access SDM & SSH from either"
Cheers
si
ASKER
Excellent:)
Cheers Guys.
no ip http access-class 2
&
no ip http access-class 2
line vty 0 4
no access-class 102 in
Worked a treat:) All sorted now:)
Cheers Guys, You both saved me a very late night:)
Cheers Guys.
no ip http access-class 2
&
no ip http access-class 2
line vty 0 4
no access-class 102 in
Worked a treat:) All sorted now:)
Cheers Guys, You both saved me a very late night:)
Also you access class on you VTY lines points to a non-existant access list. You could try and remove the access class from the VTY lines or point it to another access-list.