From: Ron.Fuller@xxxxxx
Date: Tue Feb 13 2001 - 16:31:04 GMT-3
The IOS FW is similar in that it is a stateful firewall, but it does allow
telnet from the outside. You need to explicitly permit telnet from the
desired source network to the host address of the outside interface using
the access-list you create. The IOS FW uses the access-list as a starter
for adding the dynamic entries for return traffic it inspects as it goes
out. Pretty cool stuff, I think. Good, cheap firewall for the masses. :)
Ron Fuller, CCIE #5851, CCDP, CCNP-ATM, CCNP-Security, CCNP-Voice, MCNE
3X Corporation
rfuller@3x.com
"Sam Munzani"
<sam@munzani. To: "NoOne Important" <lm_nguyen@h
otmail.com>,
com> <ccielab@groupstudy.com>
Sent by: cc:
nobody@groups Subject: Re: CISCO FW IOS with all
owing SSH to it from outside
tudy.com
02/13/2001
01:42 PM
Please
respond to
"Sam Munzani"
I am just curious if FW IOS behaves just like PIX for management. On PIX
you
can't telnet from outside interface at all. IOS FW does stateful inspection
same way as PIX. This could be a security feature. Is Any body out there
able to telnet to a IOS FW router from internet?
Sam
> uhm
> we overlooked the fact that you didn't put log or log-input after your
> telnet and ssh and only on the deny statement.
>
>
>
> >From: "Sam Munzani" <sam@munzani.com>
> >Reply-To: "Sam Munzani" <sam@munzani.com>
> >To: "NoOne Important" <lm_nguyen@hotmail.com>, <ccielab@groupstudy.com>
> >Subject: Re: CISCO FW IOS with allowing SSH to it from outside
> >Date: Tue, 13 Feb 2001 12:28:31 -0600
> >
> >You are right. xxx.xxx.xxx.xxx is my ethernet ip addr. The funny thing
is,
> >Nothing is captured in log file. If I try to ping any internal host form
> >outside, that gets logged but not my telnet or SSH attempts.
> >
> >Sam
> >
> > > xxxxxxxxxx i assume is your ethernet address? if so, i
> > > dun really see what's wrong maybe check typos check to see if there's
> >any
> > > access-group define under vty...check routing...etc see if there is
any
> > > other access-list block the traffic before it even get there
> > > turn on loggin console and see what happen when telnet or ssh to the
> > > router....
> > >
> > >
> > >
> > >
> > >
> > > >From: "Sam Munzani" <sam@munzani.com>
> > > >Reply-To: "Sam Munzani" <sam@munzani.com>
> > > >To: <ccielab@groupstudy.com>
> > > >Subject: CISCO FW IOS with allowing SSH to it from outside
> > > >Date: Tue, 13 Feb 2001 11:19:58 -0600
> > > >
> > > >Hi Group,
> > > >
> > > >I installed CISCO FW ios with CBAC commands standard configuration.
=
> > > >Works great and for management, I cam telnet and SSH to the box from
=
> > > >internal network. Following access is applied to the outside
interface.
> > > >
> > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 22
> > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 23
> > > >access-list 100 deny ip any any log
> > > >
> > > >ip inspect name test_fw tcp
> > > >ip inspect name test_fw udp
> > > >ip inspect name test_fw cuseeme
> > > >ip inspect name test_fw ftp
> > > >ip inspect name test_fw h323
> > > >ip inspect name test_fw rcmd
> > > >ip inspect name test_fw realaudio
> > > >ip inspect name test_fw smtp
> > > >ip inspect name test_fw streamworks
> > > >ip inspect name test_fw vdolive
> > > >ip inspect name test_fw sqlnet
> > > >ip inspect name test_fw tftp
> > > >
> > > >
> > > >int e0/0
> > > >Descr Outside interface
> > > >ip address xxx.xxx.xxx.xxx 255.255.255.0
> > > >ip inspect test_fw out
> > > >ip access-group 100 in
> > > >
> > > >Telnet & SSH works fine from inside but not form outside. Any =
> > > >suggestions?
> > > >
> > > >Regards,
> > > >
> > > >Sam Munzani
> > > >CCIE # 6479, CCNP, CCDP, MCSE, CNE 5, SCO Master ACE, HP Openview =
> > > >Consultant
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:47 GMT-3