remote access to router problems

Discussion in 'Cisco' started by Jog Dial, Oct 5, 2004.

  1. Jog Dial

    Jog Dial Guest

    Hi, I'm a newb at complex cisco configs and am just learning how to
    enable firewalls and vpns ... I used to do all this with linux boxes
    and now I have to do it all on the router. Things were going pretty
    good building firewall etc, but then I discovered that I can't ssh
    into my router via the serial interface. I'm pretty sure that the
    firewall isn't the problem as I no longer have any access list on my
    serial interface, so I have to believe it is the AAA. I am totally
    new to AAA and only got ssh to work on the internal LAN interface
    after finding a bit of a script which is the AAA model in my script
    below. I am trying to figure out how AAA works for myself, but it's
    slow going and I need to be able to get at this router remotely to
    configure it as soon as possible, so I would hugely appreciate if
    anyone could tell me why this won't let me connect remotely.

    Thanks


    chiefwiggum#show running
    Building configuration...

    Current configuration : 2354 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname chiefwiggum
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login line none
    aaa authentication login vty local
    aaa authentication login exec enable
    aaa authorization exec default local
    aaa authorization commands 1 default local
    aaa accounting update newinfo
    aaa session-id common
    ip subnet-zero
    ip cef
    !
    !
    ip inspect udp idle-time 20
    ip inspect tcp idle-time 120
    ip inspect tcp synwait-time 15
    ip inspect name internal_CBAC ftp
    ip inspect name internal_CBAC http
    ip inspect name internal_CBAC realaudio
    ip inspect name internal_CBAC tcp
    ip inspect name internal_CBAC udp
    ip inspect name internal_CBAC icmp
    ip inspect name external_CBAC ftp
    ip inspect name external_CBAC http
    ip inspect name external_CBAC realaudio
    ip inspect name external_CBAC tcp
    ip inspect name external_CBAC udp
    ip inspect name external_CBAC icmp
    !
    !
    ip ips po max-events 100
    ip domain name emtex.com
    ip name-server 206.228.179.10
    no ftp-server write-enable
    !
    !
    !
    !
    !
    controller E1 0/0
    channel-group 0 timeslots 1-31 speed 64
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Serial0/0:0
    description Internet
    ip address xxx.xxx.xxx.xxx 255.255.255.252
    ip nat outside
    ip virtual-reassembly
    !
    interface FastEthernet0/1
    description Internal Network
    ip address 10.50.254.254 255.255.0.0
    ip access-group internal_ACL in
    ip inspect internal_CBAC in
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0:0
    no ip http server
    no ip http secure-server
    ip nat inside source list 1 interface Serial0/0:0 overload
    !
    ip access-list extended internal_ACL
    deny tcp any any eq pop3
    deny tcp any any eq smtp
    permit ip any any
    !
    access-list 1 permit any
    !
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 0xFF0xFF
    transport input ssh
    !
    !
    end
     
    Jog Dial, Oct 5, 2004
    #1
    1. Advertising

  2. Jog Dial

    Scooby Guest

    "Jog Dial" <> wrote in message
    news:...
    > Hi, I'm a newb at complex cisco configs and am just learning how to
    > enable firewalls and vpns ... I used to do all this with linux boxes
    > and now I have to do it all on the router. Things were going pretty
    > good building firewall etc, but then I discovered that I can't ssh
    > into my router via the serial interface. I'm pretty sure that the
    > firewall isn't the problem as I no longer have any access list on my
    > serial interface, so I have to believe it is the AAA. I am totally
    > new to AAA and only got ssh to work on the internal LAN interface
    > after finding a bit of a script which is the AAA model in my script
    > below. I am trying to figure out how AAA works for myself, but it's
    > slow going and I need to be able to get at this router remotely to
    > configure it as soon as possible, so I would hugely appreciate if
    > anyone could tell me why this won't let me connect remotely.
    >
    > Thanks
    >
    >
    > chiefwiggum#show running
    > Building configuration...
    >
    > Current configuration : 2354 bytes
    > !
    > version 12.3
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > no service password-encryption
    > !
    > hostname chiefwiggum
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > !
    > no network-clock-participate slot 1
    > no network-clock-participate wic 0
    > aaa new-model
    > !
    > !
    > aaa authentication login default local
    > aaa authentication login line none
    > aaa authentication login vty local
    > aaa authentication login exec enable
    > aaa authorization exec default local
    > aaa authorization commands 1 default local
    > aaa accounting update newinfo
    > aaa session-id common
    > ip subnet-zero
    > ip cef
    > !
    > !
    > ip inspect udp idle-time 20
    > ip inspect tcp idle-time 120
    > ip inspect tcp synwait-time 15
    > ip inspect name internal_CBAC ftp
    > ip inspect name internal_CBAC http
    > ip inspect name internal_CBAC realaudio
    > ip inspect name internal_CBAC tcp
    > ip inspect name internal_CBAC udp
    > ip inspect name internal_CBAC icmp
    > ip inspect name external_CBAC ftp
    > ip inspect name external_CBAC http
    > ip inspect name external_CBAC realaudio
    > ip inspect name external_CBAC tcp
    > ip inspect name external_CBAC udp
    > ip inspect name external_CBAC icmp
    > !
    > !
    > ip ips po max-events 100
    > ip domain name emtex.com
    > ip name-server 206.228.179.10
    > no ftp-server write-enable
    > !
    > !
    > !
    > !
    > !
    > controller E1 0/0
    > channel-group 0 timeslots 1-31 speed 64
    > !
    > !
    > !
    > !
    > interface FastEthernet0/0
    > no ip address
    > shutdown
    > duplex auto
    > speed auto
    > !
    > interface Serial0/0:0
    > description Internet
    > ip address xxx.xxx.xxx.xxx 255.255.255.252
    > ip nat outside
    > ip virtual-reassembly
    > !
    > interface FastEthernet0/1
    > description Internal Network
    > ip address 10.50.254.254 255.255.0.0
    > ip access-group internal_ACL in
    > ip inspect internal_CBAC in
    > ip nat inside
    > ip virtual-reassembly
    > duplex auto
    > speed auto
    > no mop enabled
    > !
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0/0:0
    > no ip http server
    > no ip http secure-server
    > ip nat inside source list 1 interface Serial0/0:0 overload
    > !
    > ip access-list extended internal_ACL
    > deny tcp any any eq pop3
    > deny tcp any any eq smtp
    > permit ip any any
    > !
    > access-list 1 permit any
    > !
    > !
    > control-plane
    > !
    > !
    > !
    > line con 0
    > line aux 0
    > line vty 0 4
    > password 0xFF0xFF
    > transport input ssh
    > !
    > !
    > end


    Quite possibly you have not generated a key.

    Try:

    conf t
    crypto key generate rsa


    Hope that helps,

    Jim
     
    Scooby, Oct 5, 2004
    #2
    1. Advertising

  3. Jog Dial

    Jog Dial Guest

    "Scooby" <> wrote in message news:<bbA8d.138$>...
    snip..
    >
    > Quite possibly you have not generated a key.
    >
    > Try:
    >
    > conf t
    > crypto key generate rsa
    >
    >
    > Hope that helps,
    >
    > Jim


    Probably didn't explain properly, ssh works fine into it via the
    internal LAN interface, but not via the Serial, I generated the key
    first thing... saying that, it seems, more like firewall problem as
    when I try to connect, it times out after about 1 minute or so of
    trying to connect... as though the packets are being dropped but
    looking at the config there aren't any rules applied to the serial
    interface... I can ping the interface ok though... any other thoughts?

    Thanks
     
    Jog Dial, Oct 6, 2004
    #3
  4. Jog Dial

    Scooby Guest

    "Jog Dial" <> wrote in message
    news:...
    > "Scooby" <> wrote in message

    news:<bbA8d.138$>...
    > snip..
    > >
    > > Quite possibly you have not generated a key.
    > >
    > > Try:
    > >
    > > conf t
    > > crypto key generate rsa
    > >
    > >
    > > Hope that helps,
    > >
    > > Jim

    >
    > Probably didn't explain properly, ssh works fine into it via the
    > internal LAN interface, but not via the Serial, I generated the key
    > first thing... saying that, it seems, more like firewall problem as
    > when I try to connect, it times out after about 1 minute or so of
    > trying to connect... as though the packets are being dropped but
    > looking at the config there aren't any rules applied to the serial
    > interface... I can ping the interface ok though... any other thoughts?
    >
    > Thanks


    I would try using either debug ip packet or a packet sniffer to see what
    traffic is doing. Can you telnet to the serial interface?
     
    Scooby, Oct 6, 2004
    #4
  5. "Scooby" <> writes:

    >
    > "Jog Dial" <> wrote in message
    > news:...
    > > "Scooby" <> wrote in message

    > news:<bbA8d.138$>...
    > > snip..
    > > >
    > > > Quite possibly you have not generated a key.
    > > >
    > > > Try:
    > > >
    > > > conf t
    > > > crypto key generate rsa
    > > >
    > > >
    > > > Hope that helps,
    > > >
    > > > Jim

    > >
    > > Probably didn't explain properly, ssh works fine into it via the
    > > internal LAN interface, but not via the Serial, I generated the key
    > > first thing... saying that, it seems, more like firewall problem as
    > > when I try to connect, it times out after about 1 minute or so of
    > > trying to connect... as though the packets are being dropped but
    > > looking at the config there aren't any rules applied to the serial
    > > interface... I can ping the interface ok though... any other thoughts?
    > >
    > > Thanks

    >
    > I would try using either debug ip packet or a packet sniffer to see what
    > traffic is doing. Can you telnet to the serial interface?
    >
    >


    Looking at your config, I noticed that Serial0/0:0 is NAT outside, and
    the Ethernet interface is NAT inside. This may have a bearing on your
    problem, depending on where you're coming from when trying to ssh into
    the router. Keep in mind which interface the packets will be sourced
    from when you're trying to ssh into each interface, and see if packets
    would get NAT'd from the router to you, but not from you to the router.

    -jav
     
    Javier Henderson, Oct 7, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Sale
    Replies:
    1
    Views:
    12,006
    Robin Walker
    Dec 11, 2004
  2. Replies:
    2
    Views:
    936
    Walter Roberson
    Jul 1, 2006
  3. imhotep
    Replies:
    0
    Views:
    610
    imhotep
    Jun 21, 2006
  4. imhotep
    Replies:
    0
    Views:
    550
    imhotep
    Jun 23, 2006
  5. Markus Marquardt
    Replies:
    3
    Views:
    3,939
Loading...

Share This Page