From: NoOne Important (lm_nguyen@xxxxxxxxxxx)
Date: Tue Feb 13 2001 - 15:58:49 GMT-3
dude,
I do that all the time :) it's different from the pix.
>From: "Sam Munzani" <sam@munzani.com>
>Reply-To: "Sam Munzani" <sam@munzani.com>
>To: "NoOne Important" <lm_nguyen@hotmail.com>, <ccielab@groupstudy.com>
>Subject: Re: CISCO FW IOS with allowing SSH to it from outside
>Date: Tue, 13 Feb 2001 12:42:44 -0600
>
>I am just curious if FW IOS behaves just like PIX for management. On PIX
>you
>can't telnet from outside interface at all. IOS FW does stateful inspection
>same way as PIX. This could be a security feature. Is Any body out there
>able to telnet to a IOS FW router from internet?
>
>Sam
>
> > uhm
> > we overlooked the fact that you didn't put log or log-input after your
> > telnet and ssh and only on the deny statement.
> >
> >
> >
> > >From: "Sam Munzani" <sam@munzani.com>
> > >Reply-To: "Sam Munzani" <sam@munzani.com>
> > >To: "NoOne Important" <lm_nguyen@hotmail.com>, <ccielab@groupstudy.com>
> > >Subject: Re: CISCO FW IOS with allowing SSH to it from outside
> > >Date: Tue, 13 Feb 2001 12:28:31 -0600
> > >
> > >You are right. xxx.xxx.xxx.xxx is my ethernet ip addr. The funny thing
>is,
> > >Nothing is captured in log file. If I try to ping any internal host
>form
> > >outside, that gets logged but not my telnet or SSH attempts.
> > >
> > >Sam
> > >
> > > > xxxxxxxxxx i assume is your ethernet address? if so, i
> > > > dun really see what's wrong maybe check typos check to see if
>there's
> > >any
> > > > access-group define under vty...check routing...etc see if there is
>any
> > > > other access-list block the traffic before it even get there
> > > > turn on loggin console and see what happen when telnet or ssh to the
> > > > router....
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > >From: "Sam Munzani" <sam@munzani.com>
> > > > >Reply-To: "Sam Munzani" <sam@munzani.com>
> > > > >To: <ccielab@groupstudy.com>
> > > > >Subject: CISCO FW IOS with allowing SSH to it from outside
> > > > >Date: Tue, 13 Feb 2001 11:19:58 -0600
> > > > >
> > > > >Hi Group,
> > > > >
> > > > >I installed CISCO FW ios with CBAC commands standard configuration.
>=
> > > > >Works great and for management, I cam telnet and SSH to the box
>from
>=
> > > > >internal network. Following access is applied to the outside
>interface.
> > > > >
> > > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 22
> > > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 23
> > > > >access-list 100 deny ip any any log
> > > > >
> > > > >ip inspect name test_fw tcp
> > > > >ip inspect name test_fw udp
> > > > >ip inspect name test_fw cuseeme
> > > > >ip inspect name test_fw ftp
> > > > >ip inspect name test_fw h323
> > > > >ip inspect name test_fw rcmd
> > > > >ip inspect name test_fw realaudio
> > > > >ip inspect name test_fw smtp
> > > > >ip inspect name test_fw streamworks
> > > > >ip inspect name test_fw vdolive
> > > > >ip inspect name test_fw sqlnet
> > > > >ip inspect name test_fw tftp
> > > > >
> > > > >
> > > > >int e0/0
> > > > >Descr Outside interface
> > > > >ip address xxx.xxx.xxx.xxx 255.255.255.0
> > > > >ip inspect test_fw out
> > > > >ip access-group 100 in
> > > > >
> > > > >Telnet & SSH works fine from inside but not form outside. Any =
> > > > >suggestions?
> > > > >
> > > > >Regards,
> > > > >
> > > > >Sam Munzani
> > > > >CCIE # 6479, CCNP, CCDP, MCSE, CNE 5, SCO Master ACE, HP Openview =
> > > > >Consultant
> > > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:47 GMT-3