Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > remote access to router problems

Reply
Thread Tools

remote access to router problems

 
 
Jog Dial
Guest
Posts: n/a
 
      10-05-2004
Hi, I'm a newb at complex cisco configs and am just learning how to
enable firewalls and vpns ... I used to do all this with linux boxes
and now I have to do it all on the router. Things were going pretty
good building firewall etc, but then I discovered that I can't ssh
into my router via the serial interface. I'm pretty sure that the
firewall isn't the problem as I no longer have any access list on my
serial interface, so I have to believe it is the AAA. I am totally
new to AAA and only got ssh to work on the internal LAN interface
after finding a bit of a script which is the AAA model in my script
below. I am trying to figure out how AAA works for myself, but it's
slow going and I need to be able to get at this router remotely to
configure it as soon as possible, so I would hugely appreciate if
anyone could tell me why this won't let me connect remotely.

Thanks


chiefwiggum#show running
Building configuration...

Current configuration : 2354 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname chiefwiggum
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login default local
aaa authentication login line none
aaa authentication login vty local
aaa authentication login exec enable
aaa authorization exec default local
aaa authorization commands 1 default local
aaa accounting update newinfo
aaa session-id common
ip subnet-zero
ip cef
!
!
ip inspect udp idle-time 20
ip inspect tcp idle-time 120
ip inspect tcp synwait-time 15
ip inspect name internal_CBAC ftp
ip inspect name internal_CBAC http
ip inspect name internal_CBAC realaudio
ip inspect name internal_CBAC tcp
ip inspect name internal_CBAC udp
ip inspect name internal_CBAC icmp
ip inspect name external_CBAC ftp
ip inspect name external_CBAC http
ip inspect name external_CBAC realaudio
ip inspect name external_CBAC tcp
ip inspect name external_CBAC udp
ip inspect name external_CBAC icmp
!
!
ip ips po max-events 100
ip domain name emtex.com
ip name-server 206.228.179.10
no ftp-server write-enable
!
!
!
!
!
controller E1 0/0
channel-group 0 timeslots 1-31 speed 64
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0:0
description Internet
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
description Internal Network
ip address 10.50.254.254 255.255.0.0
ip access-group internal_ACL in
ip inspect internal_CBAC in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0:0
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Serial0/0:0 overload
!
ip access-list extended internal_ACL
deny tcp any any eq pop3
deny tcp any any eq smtp
permit ip any any
!
access-list 1 permit any
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password 0xFF0xFF
transport input ssh
!
!
end
 
Reply With Quote
 
 
 
 
Scooby
Guest
Posts: n/a
 
      10-05-2004
"Jog Dial" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> Hi, I'm a newb at complex cisco configs and am just learning how to
> enable firewalls and vpns ... I used to do all this with linux boxes
> and now I have to do it all on the router. Things were going pretty
> good building firewall etc, but then I discovered that I can't ssh
> into my router via the serial interface. I'm pretty sure that the
> firewall isn't the problem as I no longer have any access list on my
> serial interface, so I have to believe it is the AAA. I am totally
> new to AAA and only got ssh to work on the internal LAN interface
> after finding a bit of a script which is the AAA model in my script
> below. I am trying to figure out how AAA works for myself, but it's
> slow going and I need to be able to get at this router remotely to
> configure it as soon as possible, so I would hugely appreciate if
> anyone could tell me why this won't let me connect remotely.
>
> Thanks
>
>
> chiefwiggum#show running
> Building configuration...
>
> Current configuration : 2354 bytes
> !
> version 12.3
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname chiefwiggum
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no network-clock-participate slot 1
> no network-clock-participate wic 0
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login line none
> aaa authentication login vty local
> aaa authentication login exec enable
> aaa authorization exec default local
> aaa authorization commands 1 default local
> aaa accounting update newinfo
> aaa session-id common
> ip subnet-zero
> ip cef
> !
> !
> ip inspect udp idle-time 20
> ip inspect tcp idle-time 120
> ip inspect tcp synwait-time 15
> ip inspect name internal_CBAC ftp
> ip inspect name internal_CBAC http
> ip inspect name internal_CBAC realaudio
> ip inspect name internal_CBAC tcp
> ip inspect name internal_CBAC udp
> ip inspect name internal_CBAC icmp
> ip inspect name external_CBAC ftp
> ip inspect name external_CBAC http
> ip inspect name external_CBAC realaudio
> ip inspect name external_CBAC tcp
> ip inspect name external_CBAC udp
> ip inspect name external_CBAC icmp
> !
> !
> ip ips po max-events 100
> ip domain name emtex.com
> ip name-server 206.228.179.10
> no ftp-server write-enable
> !
> !
> !
> !
> !
> controller E1 0/0
> channel-group 0 timeslots 1-31 speed 64
> !
> !
> !
> !
> interface FastEthernet0/0
> no ip address
> shutdown
> duplex auto
> speed auto
> !
> interface Serial0/0:0
> description Internet
> ip address xxx.xxx.xxx.xxx 255.255.255.252
> ip nat outside
> ip virtual-reassembly
> !
> interface FastEthernet0/1
> description Internal Network
> ip address 10.50.254.254 255.255.0.0
> ip access-group internal_ACL in
> ip inspect internal_CBAC in
> ip nat inside
> ip virtual-reassembly
> duplex auto
> speed auto
> no mop enabled
> !
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0/0:0
> no ip http server
> no ip http secure-server
> ip nat inside source list 1 interface Serial0/0:0 overload
> !
> ip access-list extended internal_ACL
> deny tcp any any eq pop3
> deny tcp any any eq smtp
> permit ip any any
> !
> access-list 1 permit any
> !
> !
> control-plane
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> password 0xFF0xFF
> transport input ssh
> !
> !
> end


Quite possibly you have not generated a key.

Try:

conf t
crypto key generate rsa


Hope that helps,

Jim



 
Reply With Quote
 
 
 
 
Jog Dial
Guest
Posts: n/a
 
      10-06-2004
"Scooby" <(E-Mail Removed)> wrote in message news:<bbA8d.138$(E-Mail Removed)>...
snip..
>
> Quite possibly you have not generated a key.
>
> Try:
>
> conf t
> crypto key generate rsa
>
>
> Hope that helps,
>
> Jim


Probably didn't explain properly, ssh works fine into it via the
internal LAN interface, but not via the Serial, I generated the key
first thing... saying that, it seems, more like firewall problem as
when I try to connect, it times out after about 1 minute or so of
trying to connect... as though the packets are being dropped but
looking at the config there aren't any rules applied to the serial
interface... I can ping the interface ok though... any other thoughts?

Thanks
 
Reply With Quote
 
Scooby
Guest
Posts: n/a
 
      10-06-2004
"Jog Dial" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> "Scooby" <(E-Mail Removed)> wrote in message

news:<bbA8d.138$(E-Mail Removed)>...
> snip..
> >
> > Quite possibly you have not generated a key.
> >
> > Try:
> >
> > conf t
> > crypto key generate rsa
> >
> >
> > Hope that helps,
> >
> > Jim

>
> Probably didn't explain properly, ssh works fine into it via the
> internal LAN interface, but not via the Serial, I generated the key
> first thing... saying that, it seems, more like firewall problem as
> when I try to connect, it times out after about 1 minute or so of
> trying to connect... as though the packets are being dropped but
> looking at the config there aren't any rules applied to the serial
> interface... I can ping the interface ok though... any other thoughts?
>
> Thanks


I would try using either debug ip packet or a packet sniffer to see what
traffic is doing. Can you telnet to the serial interface?


 
Reply With Quote
 
Javier Henderson
Guest
Posts: n/a
 
      10-07-2004
"Scooby" <(E-Mail Removed)> writes:

>
> "Jog Dial" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > "Scooby" <(E-Mail Removed)> wrote in message

> news:<bbA8d.138$(E-Mail Removed)>...
> > snip..
> > >
> > > Quite possibly you have not generated a key.
> > >
> > > Try:
> > >
> > > conf t
> > > crypto key generate rsa
> > >
> > >
> > > Hope that helps,
> > >
> > > Jim

> >
> > Probably didn't explain properly, ssh works fine into it via the
> > internal LAN interface, but not via the Serial, I generated the key
> > first thing... saying that, it seems, more like firewall problem as
> > when I try to connect, it times out after about 1 minute or so of
> > trying to connect... as though the packets are being dropped but
> > looking at the config there aren't any rules applied to the serial
> > interface... I can ping the interface ok though... any other thoughts?
> >
> > Thanks

>
> I would try using either debug ip packet or a packet sniffer to see what
> traffic is doing. Can you telnet to the serial interface?
>
>


Looking at your config, I noticed that Serial0/0:0 is NAT outside, and
the Ethernet interface is NAT inside. This may have a bearing on your
problem, depending on where you're coming from when trying to ssh into
the router. Keep in mind which interface the packets will be sourced
from when you're trying to ssh into each interface, and see if packets
would get NAT'd from the router to you, but not from you to the router.

-jav
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote VPN router behind internet access router Markus Marquardt Cisco 3 06-14-2007 07:49 PM
Remote access VPNs from remote location to ASA ikkemij@xs4all.nl Cisco 2 07-01-2006 07:18 AM
Microsoft Windows Routing and Remote Access Remote Code Execution Vulnerability imhotep Computer Security 0 06-23-2006 03:47 AM
Microsoft Windows Routing and Remote Access Remote Code Execution Vulnerability imhotep Computer Security 0 06-21-2006 02:03 AM
Remote Assistance fails to connect, remote remote host name could not be resolved Peter Sale Wireless Networking 1 12-11-2004 09:09 PM



Advertisments