?
Solved

Wanting to enable SDM access and ssh access

Posted on 2009-04-27
1
Medium Priority
?
879 Views
Last Modified: 2012-05-06
I'm not real sure what I'm missing here but I thought I have added everything in that I need to allow SDM access and SSH access from our outside IP of 66.x.x.101 but I'm not having any luck in getting to it that way. Telnet is working but I know it's not secure and don't really want to use it. Here is my running-config....

Building configuration...

Current configuration : 9363 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$CLzY$3oXrWpGFf6oRinXJEt4cF/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect udp idle-time 60
ip inspect dns-timeout 20
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 45
ip inspect tcp synwait-time 45
ip inspect name Austin-FW-RULES tcp
ip inspect name Austin-FW-RULES ftp timeout 900
ip inspect name Austin-FW-RULES udp
ip inspect name Austin-FW-RULES http timeout 900
ip tcp synwait-time 10
no ip dhcp conflict logging

!
no ip bootp server
ip domain name dg.local
ip name-server 10.100.208.250
ip name-server 192.100.100.204
ip name-server 192.100.100.238
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-93192028
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-93192028
 revocation-check none
 rsakeypair TP-self-signed-93192028
!
!
crypto pki certificate chain TP-self-signed-93192028
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39333139 32303238 301E170D 30393034 32373230 33343231
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D393331 39323032
  3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B325
  C4D5A59C 036D64D7 D30A9CF0 AB70E3C7 CB0C2945 4ADDF635 5F98B97C C69C64CA
  97E628B6 F7F5C20E DDEE3F72 1351D019 32852636 49B02EC0 33C96C7C 88333BC0
  5481E823 F5239064 13CC1A40 86751547 F59AC4A6 EA9EDD49 FD5ED624 6002379C
  FB754303 79F7E446 E0E78C23 F9941FC4 072643F9 11235EAD 9863CAA1 4B570203
  010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603 551D1104
  16301482 12417573 74696E2D 52312E64 672E6C6F 63616C30 1F060355 1D230418
  30168014 A08F15E5 21355250 739DF99C 10891302 563C3327 301D0603 551D0E04
  160414A0 8F15E521 35525073 9DF99C10 89130256 3C332730 0D06092A 864886F7
  0D010104 05000381 81009838 E7DE180A DFD09B1E 5576C56F 6875DB01 2DD63367
  0D198EC9 2B47FA24 2D017457 B4F284F6 60CD2160 7169E1CE 74E7A6CF 48AC4E0F
  8EEE88EE 3597CD6B 7A00DDD8 675EAD84 7B39395D 5A285B15 A313880C EC707729
  BCDC3238 E8E8792A 9C3BA30D F51E2D57 7EB67AB8 026C4969 6F207BA6 3CADBD4E
  EC26887A 851F6128 AA76
  quit
username datacore privilege 15 secret 5 $1$9COf$7h7hHo5P.8bw3ZWsAAbm..
username jmeis privilege 2 secret 5 $1$MnDy$oTUacUWP1RqLuiyQTESEt/
username mbenjamin privilege 2 secret 5 $1$MyUC$RANdqHaEhop.dl6ou7Yby.
username deng privilege 2 secret 5 $1$eua2$C95ybefKTTOvNtnlda7Dz1
username storres privilege 2 secret 5 $1$OvZC$9fLzIanrIaXMZw4oxW/RH1
username mirifex privilege 15 secret 5 $1$F2Q1$6xX8q/qamMrF3vVzwg/xf1
!
!
track 2 rtr 1 reachability
 delay down 15
!
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Ixxxxxxxx address 216.82.111.3 no-xauth
crypto isakmp keepalive 10
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group dialins
 key cisco123
 dns 10.100.208.250
 domain dg.local
 pool cltvpnpool
 acl VPN-users
!
!
crypto ipsec transform-set Austin esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclt esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set vpnclt
!
!
crypto map austinmap client authentication list vpnauthen
crypto map austinmap isakmp authorization list vpnauthor
crypto map austinmap client configuration address respond
crypto map austinmap 20 ipsec-isakmp
 set peer 216.82.111.3
 set transform-set Austin
 match address 120
crypto map austinmap 999 ipsec-isakmp dynamic dynmap
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description David Group Austin LAN
 ip address 10.100.208.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 full-duplex
 no mop enabled
!
interface FastEthernet0/1
 description 65.x.x.74/29 range - Speakeasy Fast Ethernet
 ip address 65.x.x.74 255.255.255.252
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect Austin-FW-RULES out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 full-duplex
 no cdp enable
 no mop enabled
 crypto map austinmap
!
interface Serial0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 shutdown
 no cdp enable
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
!
ip local pool cltvpnpool 192.168.98.1 192.168.98.14
ip classless
ip route 0.0.0.0 0.0.0.0 65.x.x.73
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NONAT interface FastEthernet0/1 overload
!
ip access-list extended VPN-users
permit ip 10.100.208.0 0.0.0.255 192.168.98.0 0.0.0.255
ip access-list extended nonat
 deny   ip 10.100.208.0 0.0.0.255 192.168.98.0 0.0.0.255
 deny   ip 10.100.208.0 0.0.0.255 192.100.100.0 0.0.0.255
 permit ip 10.100.208.0 0.0.0.255 any
ip access-list extended outside-in
 permit tcp any host 65.x.x.74 eq 500
 permit udp any host 65.x.x.74 eq isakmp
 permit udp any host 65.x.x.74 eq non500-isakmp
 permit esp any host 65.x.x.74
 permit gre any host 65.x.x.74
 permit ip 192.168.98.0 0.0.0.255 any
 permit ip 192.100.100.0 0.0.0.255 10.100.208.0 0.0.0.255
 permit icmp any any echo-reply
 permit icmp any 10.100.208.0 0.0.0.255 packet-too-big
 permit icmp any 10.100.208.0 0.0.0.255 traceroute
 permit icmp any 10.100.208.0 0.0.0.255 unreachable
 permit ahp host 216.82.111.3 host 65.x.x.74
 permit tcp 216.82.111.0 0.0.0.255 host 65.x.x.74 eq telnet
 permit tcp host 216.96.103.129 host 65.x.x.74 eq telnet
 permit tcp 216.68.0.0 0.0.255.255 host 65.x.x.74 eq telnet
 deny   ip host 255.255.255.255 any
 deny   ip 10.100.208.0 0.0.0.255 any
!
logging trap debugging
access-list 10 permit 74.218.116.229
access-list 10 permit 66.x.x.82
access-list 10 permit 66.x.x.101
access-list 10 permit 96.11.176.162
access-list 10 permit 216.82.111.0 0.0.0.255
access-list 10 permit 192.100.100.0 0.0.0.255
access-list 10 permit 10.100.208.0 0.0.0.255
access-list 10 permit 216.68.0.0 0.0.255.255
access-list 20 permit 192.100.100.0 0.0.0.255
access-list 20 permit 10.100.208.0 0.0.0.255
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any 10.100.208.0 0.0.0.255 packet-too-big
access-list 100 permit icmp any 10.100.208.0 0.0.0.255 traceroute
access-list 100 permit icmp any 10.100.208.0 0.0.0.255 unreachable
access-list 100 permit esp host 216.82.111.3 host 65.x.x.74
access-list 100 permit ahp host 216.82.111.3 host 65.x.x.74
access-list 100 permit udp host 216.82.111.3 eq isakmp host 65.x.x.74 eq isakmp
access-list 100 permit tcp 216.82.111.0 0.0.0.255 host 65.x.x.74 eq telnet
access-list 100 permit ip 192.100.100.0 0.0.0.255 10.100.208.0 0.0.0.255
access-list 100 permit tcp host 74.218.116.229 host 65.x.x.74 eq 22
access-list 100 permit tcp host 66.x.x.101 host 65.x.x.74 eq 22
access-list 100 permit tcp any host 65.x.x.74 eq telnet
access-list 100 permit ip 192.168.98.0 0.0.0.255 any
access-list 100 permit tcp any host 65.x.x.74 eq 500
access-list 100 permit udp any host 65.x.x.74 eq isakmp
access-list 100 permit udp any host 65.x.x.74 eq non500-isakmp
access-list 100 permit esp any any
access-list 100 permit tcp host 66.x.x.101 host 65.x.x.74 eq 443
access-list 120 permit ip 10.100.208.0 0.0.0.255 192.100.100.0 0.0.0.255
no cdp run
route-map NONAT permit 10
 match ip address nonat
!
!
!
control-plane
!
banner login ^C
------------------------------------------------------------
                Authorized access only!

  Disconnect IMMEDIATELY if you are not an authorized user
------------------------------------------------------------
^C
!
line con 0
 password 7 00251234004D0A1404
 login
 transport output telnet
line aux 0
 login local
 transport output telnet
 stopbits 1
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class 10 in
 privilege level 15
 password 7 1436133908122B392F
 login local
 transport input telnet ssh
line vty 5 15
 access-class 10 in
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
end

0
Comment
Question by:afoedit
1 Comment
 
LVL 79

Accepted Solution

by:
lrmoore earned 750 total points
ID: 24247187
Can't get to SDM because you have disabled HTTPS and only allowed HTTPS in the access-list
>no ip http secure-server
>access-list 100 permit tcp host 66.x.x.101 host 65.x.x.74 eq 443
Enable secure-server and then your access-list will be correct
   ip http secure-server

These entries should allow you to use SSH. I can't see anything you missed. Double-check the x.x for typos.. or zeroize and create a new crypto key.

>access-list 100 permit tcp host 66.x.x.101 host 65.x.x.74 eq 22
>access-list 10 permit 66.x.x.101
>line vty 0 4
   access-class 10 in
   transport input telnet ssh

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question