Re: CISCO FW IOS with allowing SSH to it from outside

From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Tue Feb 13 2001 - 16:52:22 GMT-3

• Next message: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Previous message: Chuck Church: "RE: Fragmentation Concepts"
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Here is my full configs with IP addresses changed a bit. Tell me what am I
doing wrong?

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default local
enable password 7 045C1E031C32455A
!
username admin password 1234
ip subnet-zero
no ip source-route
!
!
no ip finger
ip domain-name xyz.com
ip name-server 1.1.1.1
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound cuseeme
ip inspect name outbound ftp
ip inspect name outbound h323
ip inspect name outbound rcmd
ip inspect name outbound realaudio
ip inspect name outbound smtp
ip inspect name outbound streamworks
ip inspect name outbound vdolive
ip inspect name outbound sqlnet
ip inspect name outbound tftp
!
ip inspect name mail smtp
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 3
!
!
call rsvp-sync
cns event-service server
!
!
!
interface FastEthernet0/0
 description connection to Internal Network
 ip address 192.168.100.2 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Connection to Internet
 ip address 2.2.2.2 255.255.255.0
 ip access-group 101 in
 ip nat outside
 ip inspect outbound out
 ip inspect mail in
 duplex auto
 speed auto
!
ip kerberos source-interface any
ip nat pool legal_ip 2.2.2.3 2.2.2.10 netmask 255.255.255.0
ip nat inside source route-map nonat pool legal_ip overload
ip nat inside source static 192.168.100.5 2.2.2.15
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.1
no ip http server
!
logging source-interface FastEthernet0/0
logging 192.168.100.11
access-list 101 permit tcp any host 2.2.2.15 eq smtp
access-list 101 permit tcp any host 2.2.2.15 eq www
access-list 101 permit tcp any host 2.2.2.15 eq 443
access-list 101 permit tcp any host 2.2.2.15 eq pop3
access-list 101 permit tcp any host 2.2.2.15 eq 143
access-list 101 permit tcp any host 2.2.2.2 eq 22
access-list 101 permit tcp any host 2.2.2.2 eq telnet
access-list 101 deny tcp any any
access-list 101 deny udp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any log
access-list 160 permit ip any any
no cdp run
!
route-map nonat permit 10
 match ip address 160
!
!
!
line con 0
 exec-timeout 0 0
 password 7 094F471A1A0A
 transport input none
line aux 0
 password 7 070834495D1A1011
line vty 0 4
 password 7 104D000A0618
 transport input telnet ssh
!
end

• Next message: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Previous message: Chuck Church: "RE: Fragmentation Concepts"
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:47 GMT-3