From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Wed Feb 14 2001 - 10:54:47 GMT-3
That makes perfect sense. However PIX could at least let you SSH in from
outside. This CBAC doesn't let me do that either. Actually that's the way it
should be for secure environment but I like to have at least SSH open from
outside for remote management.
Sam
> Sam,
>
> Now that I think about it, I've never been able to telnet to the
outside
> interface of a CBAC router either. Must be like a PIX. Usually I set up
a
> static NAT to the inside interface and allow telnet to that.
>
> Chuck
>
> -----Original Message-----
> From: Sam Munzani [mailto:sam@munzani.com]
> Sent: Tuesday, February 13, 2001 1:43 PM
> To: NoOne Important; ccielab@groupstudy.com
> Subject: Re: CISCO FW IOS with allowing SSH to it from outside
>
>
> I am just curious if FW IOS behaves just like PIX for management. On PIX
you
> can't telnet from outside interface at all. IOS FW does stateful
inspection
> same way as PIX. This could be a security feature. Is Any body out there
> able to telnet to a IOS FW router from internet?
>
> Sam
>
> > uhm
> > we overlooked the fact that you didn't put log or log-input after your
> > telnet and ssh and only on the deny statement.
> >
> >
> >
> > >From: "Sam Munzani" <sam@munzani.com>
> > >Reply-To: "Sam Munzani" <sam@munzani.com>
> > >To: "NoOne Important" <lm_nguyen@hotmail.com>, <ccielab@groupstudy.com>
> > >Subject: Re: CISCO FW IOS with allowing SSH to it from outside
> > >Date: Tue, 13 Feb 2001 12:28:31 -0600
> > >
> > >You are right. xxx.xxx.xxx.xxx is my ethernet ip addr. The funny thing
> is,
> > >Nothing is captured in log file. If I try to ping any internal host
form
> > >outside, that gets logged but not my telnet or SSH attempts.
> > >
> > >Sam
> > >
> > > > xxxxxxxxxx i assume is your ethernet address? if so, i
> > > > dun really see what's wrong maybe check typos check to see if
there's
> > >any
> > > > access-group define under vty...check routing...etc see if there is
> any
> > > > other access-list block the traffic before it even get there
> > > > turn on loggin console and see what happen when telnet or ssh to the
> > > > router....
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > >From: "Sam Munzani" <sam@munzani.com>
> > > > >Reply-To: "Sam Munzani" <sam@munzani.com>
> > > > >To: <ccielab@groupstudy.com>
> > > > >Subject: CISCO FW IOS with allowing SSH to it from outside
> > > > >Date: Tue, 13 Feb 2001 11:19:58 -0600
> > > > >
> > > > >Hi Group,
> > > > >
> > > > >I installed CISCO FW ios with CBAC commands standard configuration.
=
> > > > >Works great and for management, I cam telnet and SSH to the box
from
> =
> > > > >internal network. Following access is applied to the outside
> interface.
> > > > >
> > > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 22
> > > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 23
> > > > >access-list 100 deny ip any any log
> > > > >
> > > > >ip inspect name test_fw tcp
> > > > >ip inspect name test_fw udp
> > > > >ip inspect name test_fw cuseeme
> > > > >ip inspect name test_fw ftp
> > > > >ip inspect name test_fw h323
> > > > >ip inspect name test_fw rcmd
> > > > >ip inspect name test_fw realaudio
> > > > >ip inspect name test_fw smtp
> > > > >ip inspect name test_fw streamworks
> > > > >ip inspect name test_fw vdolive
> > > > >ip inspect name test_fw sqlnet
> > > > >ip inspect name test_fw tftp
> > > > >
> > > > >
> > > > >int e0/0
> > > > >Descr Outside interface
> > > > >ip address xxx.xxx.xxx.xxx 255.255.255.0
> > > > >ip inspect test_fw out
> > > > >ip access-group 100 in
> > > > >
> > > > >Telnet & SSH works fine from inside but not form outside. Any =
> > > > >suggestions?
> > > > >
> > > > >Regards,
> > > > >
> > > > >Sam Munzani
> > > > >CCIE # 6479, CCNP, CCDP, MCSE, CNE 5, SCO Master ACE, HP Openview =
> > > > >Consultant
> > > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:48 GMT-3