C871 Remote access

Discussion in 'Cisco' started by Andreas Heinzelmann, Nov 5, 2007.

  1. Hi Again,

    I have a little issue with my C871 box. I would like to access the routers
    management console through ssh & https (SDM) from the Internet.
    At the moment this does not work. I am able to ping the device but I am not
    able to access the box through ssh or https although I opened the FW on the
    Box.

    Maybe somebody can check my config? Here we go:



    Building configuration...

    Current configuration : 13029 bytes
    !
    ! Last configuration change at 21:39:52 Berlin Mon Nov 5 2007 by root
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname EDGE-GW
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    logging console critical
    enable secret 5 0000000000000
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login local_authen local
    aaa authorization exec default local
    aaa authorization exec local_author local
    !
    !
    aaa session-id common
    clock timezone Berlin 1
    clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
    no ip source-route
    ip cef
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name abc.de
    ip name-server 194.8.194.70
    ip name-server 194.8.194.60
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ddns update method dyndns
    HTTP
    add
    http://xxxx:/nic/update?system=dyndns&hostname=xxxx.homeip.net&myip=<a>
    interval maximum 0 12 0 0
    interval minimum 0 12 0 0
    !
    !
    !
    crypto pki trustpoint TP-self-signed-00000000000
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-0000000000
    revocation-check none
    rsakeypair TP-self-signed-465119209
    !
    !
    crypto pki certificate chain TP-self-signed-000000
    certificate self-signed 01

    quit
    !
    !
    username root privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxx/
    !
    !
    class-map type inspect match-any ECHO
    match protocol icmp
    class-map type inspect match-any SDM_HTTPS
    match access-group name SDM_HTTPS
    class-map type inspect match-any SDM_SSH
    match access-group name SDM_SSH
    class-map type inspect match-any SDM_SHELL
    match access-group name SDM_SHELL
    class-map type inspect match-any sdm-cls-access
    match class-map SDM_HTTPS
    match class-map SDM_SSH
    match class-map SDM_SHELL
    class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1
    match access-group name USENET
    class-map type inspect match-any sdm-cls-insp-traffic
    match protocol cuseeme
    match protocol dns
    match protocol ftp
    match protocol h323
    match protocol https
    match protocol icmp
    match protocol imap
    match protocol pop3
    match protocol netshow
    match protocol shell
    match protocol realmedia
    match protocol rtsp
    match protocol smtp extended
    match protocol sql-net
    match protocol streamworks
    match protocol tftp
    match protocol vdolive
    match protocol tcp
    match protocol udp
    class-map type inspect match-all sdm-insp-traffic
    match class-map sdm-cls-insp-traffic
    class-map type inspect match-any sdm-cls-icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-any SSH
    match protocol ssh
    class-map type inspect match-any SSL
    match protocol https
    class-map type inspect match-all sdm-access
    match class-map sdm-cls-access
    match access-group 101
    class-map type inspect match-all sdm-cls-sdm-permit-3
    match class-map SSL
    match access-group name SSL
    class-map type inspect match-all sdm-cls-sdm-permit-2
    match class-map ECHO
    match access-group name ECHO
    class-map type inspect match-any ICMPEchoReply
    match protocol icmp
    class-map type inspect match-all sdm-cls-sdm-permit-1
    match class-map ICMPEchoReply
    match access-group name ICMPEchoReply
    class-map type inspect match-all sdm-cls-sdm-permit-4
    match class-map SSH
    match access-group name SSH
    class-map type inspect match-all sdm-icmp-access
    match class-map sdm-cls-icmp-access
    class-map type inspect match-all sdm-invalid-src
    match access-group 100
    class-map type inspect match-all sdm-protocol-http
    match protocol http
    !
    !
    policy-map type inspect sdm-permit-icmpreply
    class type inspect sdm-icmp-access
    inspect
    class class-default
    pass
    policy-map type inspect sdm-inspect
    class type inspect sdm-invalid-src
    drop log
    class type inspect sdm-insp-traffic
    inspect
    class type inspect sdm-protocol-http
    inspect
    class class-default
    policy-map type inspect sdm-permit
    class type inspect sdm-cls-sdm-permit-4
    pass
    class type inspect sdm-cls-sdm-permit-3
    pass
    class type inspect sdm-access
    inspect
    class type inspect sdm-cls-sdm-permit-2
    inspect
    class class-default
    !
    zone security out-zone
    zone security in-zone
    zone-pair security sdm-zp-self-out source self destination out-zone
    service-policy type inspect sdm-permit-icmpreply
    zone-pair security sdm-zp-out-self source out-zone destination self
    service-policy type inspect sdm-permit
    zone-pair security sdm-zp-in-out source in-zone destination out-zone
    service-policy type inspect sdm-inspect
    !
    !
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ETH-WAN$
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    !
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
    48.0 54.0
    station-role root
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    ip address 192.168.0.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    zone-member security in-zone
    ip route-cache flow
    ip tcp adjust-mss 1412
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip ddns update hostname xxxx.homeip.net
    ip ddns update dyndns
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1452
    ip nat outside
    ip virtual-reassembly
    zone-member security out-zone
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 7 000000000000
    ppp pap sent-username password 7 0000000000
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 192.168.1.0 255.255.255.0 192.168.0.1
    !
    no ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip dns server
    ip nat inside source list 1 interface Dialer0 overload
    !
    ip access-list extended ECHO
    remark SDM_ACL Category=128
    permit ip any any
    ip access-list extended HTTPS_MANAGEMENT
    remark SDM_ACL Category=1
    permit udp host 194.8.194.60 eq domain any
    permit udp host 194.8.194.70 eq domain any
    remark Auto generated by SDM for NTP (123) 80.67.17.101
    permit udp host 80.67.17.101 eq ntp any eq ntp
    remark Auto generated by SDM for NTP (123) 192.53.103.103
    permit udp host 192.53.103.103 eq ntp any eq ntp
    permit tcp any any eq 443 log
    remark SDM_ACL Category=1
    remark Auto generated by SDM for NTP (123) 80.67.17.101
    remark Auto generated by SDM for NTP (123) 192.53.103.103
    ip access-list extended ICMPEchoReply
    remark SDM_ACL Category=128
    permit ip any any
    remark SDM_ACL Category=128
    ip access-list extended SDM_HTTPS
    remark SDM_ACL Category=1
    permit tcp any any eq 443
    remark SDM_ACL Category=1
    remark SDM_ACL Category=1
    remark SDM_ACL Category=1
    ip access-list extended SDM_SHELL
    remark SDM_ACL Category=1
    permit tcp any any eq cmd
    remark SDM_ACL Category=1
    remark SDM_ACL Category=1
    remark SDM_ACL Category=1
    ip access-list extended SDM_SSH
    remark SDM_ACL Category=1
    remark Auto generated by SDM for NTP (123) 80.67.17.101
    permit udp host 80.67.17.101 eq ntp any eq ntp
    remark Auto generated by SDM for NTP (123) 192.53.103.103
    permit udp host 192.53.103.103 eq ntp any eq ntp
    permit tcp any any eq 22
    permit tcp any any eq 443
    permit tcp any any
    remark SDM_ACL Category=1
    remark Auto generated by SDM for NTP (123) 80.67.17.101
    remark Auto generated by SDM for NTP (123) 192.53.103.103
    ip access-list extended SSH
    remark SDM_ACL Category=128
    permit ip any any
    ip access-list extended SSL
    remark SDM_ACL Category=128
    permit ip any any
    ip access-list extended USENET
    remark SDM_ACL Category=128
    permit ip any any
    remark SDM_ACL Category=128
    remark SDM_ACL Category=128
    remark SDM_ACL Category=128
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 192.168.0.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark SDM_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 100 remark SDM_ACL Category=128
    access-list 100 remark SDM_ACL Category=128
    access-list 100 remark SDM_ACL Category=128
    access-list 101 remark SDM_ACL Category=128
    access-list 101 permit ip any any
    access-list 101 remark SDM_ACL Category=128
    access-list 101 remark SDM_ACL Category=128
    access-list 101 remark SDM_ACL Category=128
    access-list 102 remark VTY Access-class list
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 102 deny ip any any
    access-list 102 remark VTY Access-class list
    access-list 102 remark SDM_ACL Category=1
    access-list 103 remark VTY Access-class list
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit ip 192.168.0.0 0.0.0.255 any
    access-list 103 deny ip any any
    access-list 103 remark VTY Access-class list
    access-list 103 remark SDM_ACL Category=1
    access-list 104 remark VTY Access-class list
    access-list 104 remark SDM_ACL Category=1
    access-list 104 permit ip 192.168.0.0 0.0.0.255 any
    access-list 104 deny ip any any
    access-list 104 remark VTY Access-class list
    access-list 104 remark SDM_ACL Category=1
    access-list 105 remark auto generated by SDM firewall configuration
    access-list 105 remark SDM_ACL Category=1
    access-list 105 permit tcp any eq www any
    access-list 105 permit udp host 194.8.194.60 eq domain any
    access-list 105 permit udp host 194.8.194.70 eq domain any
    access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
    access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntp
    access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
    access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntp
    access-list 105 permit tcp any any eq 443
    access-list 105 permit tcp any any eq 22
    access-list 105 permit tcp any any eq cmd
    access-list 105 remark auto generated by SDM firewall configuration
    access-list 105 remark SDM_ACL Category=1
    access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101
    access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103
    access-list 106 remark VTY Access-class list
    access-list 106 remark SDM_ACL Category=1
    access-list 106 permit ip 192.168.0.0 0.0.0.255 any
    access-list 106 deny ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    !
    control-plane
    !
    banner login ^CThis is a secure System! No unauthorized access!^C
    !
    line con 0
    password 7 00000000000000
    login authentication local_authen
    no modem enable
    transport output telnet
    line aux 0
    login authentication local_authen
    transport output telnet
    line vty 0 4
    access-class 23 in
    password 7 0000000000000
    authorization exec local_author
    login authentication local_authen
    transport input ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17174758
    ntp source Dialer0
    ntp server 192.53.103.103 source Dialer0 prefer
    ntp server 80.67.17.101
    end

    thanx...andy
    Andreas Heinzelmann, Nov 5, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Heinzelmann

    C871 Remote access

    Andreas Heinzelmann, Oct 30, 2007, in forum: Cisco
    Replies:
    9
    Views:
    1,173
    Andreas Heinzelmann
    Nov 5, 2007
  2. Andreas Heinzelmann

    C871 Remote access

    Andreas Heinzelmann, Nov 5, 2007, in forum: Cisco
    Replies:
    0
    Views:
    396
    Andreas Heinzelmann
    Nov 5, 2007
  3. Andreas Heinzelmann

    C871 Access from WAN-Side (internet)?

    Andreas Heinzelmann, Nov 5, 2007, in forum: Cisco
    Replies:
    2
    Views:
    420
  4. Trendkill

    Re: Help with FW Config on C871

    Trendkill, Feb 9, 2009, in forum: Cisco
    Replies:
    2
    Views:
    407
    Andreas Heinzelmann
    Feb 10, 2009
  5. Andy Doe
    Replies:
    1
    Views:
    487
    Uli Link
    Apr 2, 2009
Loading...

Share This Page