Re: CISCO FW IOS with allowing SSH to it from outside

From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Tue Feb 13 2001 - 17:29:01 GMT-3

• Next message: Jay Thomp: "RE: CCIE 6872"
• Previous message: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: Chuck Church: "RE: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
That was the plan when some VPN sites join through. Internal network is hard
to summarize since it's ip scheme sucks. I will update access-list 160 and
let you know what happens.

Sam

> You should buy me a six packs if this works out for you :)
> change access-list 160 to permit only the inside network. Don't permit
any
> any. This somehow got the serial interface mix up...
> NAT works in mysterious way eh? :)
> debug ip nat detail on your router
> and run snoop or some sort of sniffing software on whereever you try to
> telnet from to see what's going on.
>
>
>
>
> >From: "Sam Munzani" <sam@munzani.com>
> >Reply-To: "Sam Munzani" <sam@munzani.com>
> >To: <Ron.Fuller@3x.com>
> >CC: <ccielab@groupstudy.com>, "NoOne Important" <lm_nguyen@hotmail.com>,
> > <nobody@groupstudy.com>
> >Subject: Re: CISCO FW IOS with allowing SSH to it from outside
> >Date: Tue, 13 Feb 2001 13:52:22 -0600
> >
> >Here is my full configs with IP addresses changed a bit. Tell me what am
I
> >doing wrong?
> >
> >version 12.1
> >no service single-slot-reload-enable
> >service timestamps debug uptime
> >service timestamps log uptime
> >service password-encryption
> >!
> >hostname cisco
> >!
> >logging buffered 4096 debugging
> >logging rate-limit console 10 except errors
> >aaa new-model
> >aaa authentication login default local
> >enable password 7 045C1E031C32455A
> >!
> >username admin password 1234
> >ip subnet-zero
> >no ip source-route
> >!
> >!
> >no ip finger
> >ip domain-name xyz.com
> >ip name-server 1.1.1.1
> >!
> >ip inspect max-incomplete high 1100
> >ip inspect max-incomplete low 900
> >ip inspect one-minute high 1100
> >ip inspect one-minute low 900
> >ip inspect name outbound tcp
> >ip inspect name outbound udp
> >ip inspect name outbound cuseeme
> >ip inspect name outbound ftp
> >ip inspect name outbound h323
> >ip inspect name outbound rcmd
> >ip inspect name outbound realaudio
> >ip inspect name outbound smtp
> >ip inspect name outbound streamworks
> >ip inspect name outbound vdolive
> >ip inspect name outbound sqlnet
> >ip inspect name outbound tftp
> >!
> >ip inspect name mail smtp
> >!
> >ip audit notify log
> >ip audit po max-events 100
> >ip ssh time-out 60
> >ip ssh authentication-retries 3
> >!
> >!
> >call rsvp-sync
> >cns event-service server
> >!
> >!
> >!
> >interface FastEthernet0/0
> > description connection to Internal Network
> > ip address 192.168.100.2 255.255.255.0
> > ip nat inside
> > duplex auto
> > speed auto
> >!
> >interface FastEthernet0/1
> > description Connection to Internet
> > ip address 2.2.2.2 255.255.255.0
> > ip access-group 101 in
> > ip nat outside
> > ip inspect outbound out
> > ip inspect mail in
> > duplex auto
> > speed auto
> >!
> >ip kerberos source-interface any
> >ip nat pool legal_ip 2.2.2.3 2.2.2.10 netmask 255.255.255.0
> >ip nat inside source route-map nonat pool legal_ip overload
> >ip nat inside source static 192.168.100.5 2.2.2.15
> >ip classless
> >ip route 0.0.0.0 0.0.0.0 2.2.2.1
> >no ip http server
> >!
> >logging source-interface FastEthernet0/0
> >logging 192.168.100.11
> >access-list 101 permit tcp any host 2.2.2.15 eq smtp
> >access-list 101 permit tcp any host 2.2.2.15 eq www
> >access-list 101 permit tcp any host 2.2.2.15 eq 443
> >access-list 101 permit tcp any host 2.2.2.15 eq pop3
> >access-list 101 permit tcp any host 2.2.2.15 eq 143
> >access-list 101 permit tcp any host 2.2.2.2 eq 22
> >access-list 101 permit tcp any host 2.2.2.2 eq telnet
> >access-list 101 deny tcp any any
> >access-list 101 deny udp any any
> >access-list 101 permit icmp any any echo-reply
> >access-list 101 permit icmp any any time-exceeded
> >access-list 101 permit icmp any any packet-too-big
> >access-list 101 permit icmp any any traceroute
> >access-list 101 permit icmp any any unreachable
> >access-list 101 deny ip any any log
> >access-list 160 permit ip any any
> >no cdp run
> >!
> >route-map nonat permit 10
> > match ip address 160
> >!
> >!
> >!
> >line con 0
> > exec-timeout 0 0
> > password 7 094F471A1A0A
> > transport input none
> >line aux 0
> > password 7 070834495D1A1011
> >line vty 0 4
> > password 7 104D000A0618
> > transport input telnet ssh
> >!
> >end
> >

• Next message: Jay Thomp: "RE: CCIE 6872"
• Previous message: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: Chuck Church: "RE: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:47 GMT-3