From: NoOne Important (lm_nguyen@xxxxxxxxxxx)
Date: Wed Feb 14 2001 - 17:25:13 GMT-3
<html><DIV>
<P><BR><BR></P>
<DIV></DIV>
<P>If you have the access-list permit any any in the route-map then when the re
turn traffic coming back to whereever you telnet or ssh from will get translate
d by your pool hence the tcp session got screw up. If you telnet or ssh f
rom a sun machine, turn on snoop to see. Also use debug ip nat detail on
your router to see the translation. One way is just to permit the inside
network through access-list 160...if not you could deny your wan ip first then
permit any any.</P></DIV>
<P><BR><BR> </P>
<DIV></DIV>
<DIV></DIV>
<DIV></DIV>
<DIV></DIV>
<DIV></DIV>>From: "Sam Munzani" <SAM@MUNZANI.COM>
<DIV></DIV>
<DIV></DIV>>Reply-To: "Sam Munzani" <SAM@MUNZANI.COM>
<DIV></DIV>
<DIV></DIV>>To: "Rampley, Jim" <JIM.RAMPLEY@AGEDWARDS.COM>
<DIV></DIV>
<DIV></DIV>>CC: <CCIELAB@GROUPSTUDY.COM>
<DIV></DIV>
<DIV></DIV>>Subject: Re: CISCO FW IOS with allowing SSH to it from outside
<DIV></DIV>
<DIV></DIV>>Date: Wed, 14 Feb 2001 14:02:17 -0600
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>>RE: CISCO FW IOS with allowing SSH to it from outsideIf you don'
t apply =
<DIV></DIV>
<DIV></DIV>>and outbound access-list, that means you permit everything outbo
und with =
<DIV></DIV>
<DIV></DIV>>stateful inspection. Inbound is taken care by drilling holes in
=
<DIV></DIV>
<DIV></DIV>>access-list. I don't have much luck with it so far. Telnet from
inside =
<DIV></DIV>
<DIV></DIV>>works great though.
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>>Sam
<DIV></DIV>
<DIV></DIV>> ----- Original Message -----=20
<DIV></DIV>
<DIV></DIV>> From: Rampley, Jim=20
<DIV></DIV>
<DIV></DIV>> To: 'Sam Munzani' ; Ron.Fuller@3x.com=20
<DIV></DIV>
<DIV></DIV>> Cc: ccielab@groupstudy.com ; NoOne Important ; nobody@groupstud
y.com=20
<DIV></DIV>
<DIV></DIV>> Sent: Wednesday, February 14, 2001 1:43 PM
<DIV></DIV>
<DIV></DIV>> Subject: RE: CISCO FW IOS with allowing SSH to it from outside
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>> Don't you need an outbound access-list on fa0/1? I just set thi
s up a =
<DIV></DIV>
<DIV></DIV>>few weeks back from the doc CD examples and was able to telnet b
oth =
<DIV></DIV>
<DIV></DIV>>ways.
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>> Jim=20
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>> -----Original Message-----=20
<DIV></DIV>
<DIV></DIV>> From: Sam Munzani [SMTP:sam@munzani.com]=20
<DIV></DIV>
<DIV></DIV>> Sent: Tuesday, February 13, 2001 1:52 PM=20
<DIV></DIV>
<DIV></DIV>> To: Ron.Fuller@3x.com=20
<DIV></DIV>
<DIV></DIV>> Cc: ccielab@groupstudy.com; NoOne Important; =
<DIV></DIV>
<DIV></DIV>>nobody@groupstudy.com=20
<DIV></DIV>
<DIV></DIV>> Subject: Re: CISCO FW IOS with allowing SSH to it from =
<DIV></DIV>
<DIV></DIV>>outside=20
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>> Here is my full configs with IP addresses changed a bit. Tell m
e =
<DIV></DIV>
<DIV></DIV>>what am I=20
<DIV></DIV>
<DIV></DIV>> doing wrong?=20
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
<DIV></DIV>> version 12.1=20
<DIV></DIV>
<DIV></DIV>> no service single-slot-reload-enable=20
<DIV></DIV>
<DIV></DIV>> service timestamps debug uptime=20
<DIV></DIV>
<DIV></DIV>> service timestamps log uptime=20
<DIV></DIV>
<DIV></DIV>> service password-encryption=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> hostname cisco=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> logging buffered 4096 debugging=20
<DIV></DIV>
<DIV></DIV>> logging rate-limit console 10 except errors=20
<DIV></DIV>
<DIV></DIV>> aaa new-model=20
<DIV></DIV>
<DIV></DIV>> aaa authentication login default local=20
<DIV></DIV>
<DIV></DIV>> enable password 7 045C1E031C32455A=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> username admin password 1234=20
<DIV></DIV>
<DIV></DIV>> ip subnet-zero=20
<DIV></DIV>
<DIV></DIV>> no ip source-route=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> no ip finger=20
<DIV></DIV>
<DIV></DIV>> ip domain-name xyz.com=20
<DIV></DIV>
<DIV></DIV>> ip name-server 1.1.1.1=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> ip inspect max-incomplete high 1100=20
<DIV></DIV>
<DIV></DIV>> ip inspect max-incomplete low 900=20
<DIV></DIV>
<DIV></DIV>> ip inspect one-minute high 1100=20
<DIV></DIV>
<DIV></DIV>> ip inspect one-minute low 900=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound tcp=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound udp=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound cuseeme=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound ftp=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound h323=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound rcmd=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound realaudio=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound smtp=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound streamworks=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound vdolive=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound sqlnet=20
<DIV></DIV>
<DIV></DIV>> ip inspect name outbound tftp=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> ip inspect name mail smtp=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> ip audit notify log=20
<DIV></DIV>
<DIV></DIV>> ip audit po max-events 100=20
<DIV></DIV>
<DIV></DIV>> ip ssh time-out 60=20
<DIV></DIV>
<DIV></DIV>> ip ssh authentication-retries 3=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> call rsvp-sync=20
<DIV></DIV>
<DIV></DIV>> cns event-service server=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> interface FastEthernet0/0=20
<DIV></DIV>
<DIV></DIV>> description connection to Internal Network=20
<DIV></DIV>
<DIV></DIV>> ip address 192.168.100.2 255.255.255.0=20
<DIV></DIV>
<DIV></DIV>> ip nat inside=20
<DIV></DIV>
<DIV></DIV>> duplex auto=20
<DIV></DIV>
<DIV></DIV>> speed auto=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> interface FastEthernet0/1=20
<DIV></DIV>
<DIV></DIV>> description Connection to Internet=20
<DIV></DIV>
<DIV></DIV>> ip address 2.2.2.2 255.255.255.0=20
<DIV></DIV>
<DIV></DIV>> ip access-group 101 in=20
<DIV></DIV>
<DIV></DIV>> ip nat outside=20
<DIV></DIV>
<DIV></DIV>> ip inspect outbound out=20
<DIV></DIV>
<DIV></DIV>> ip inspect mail in=20
<DIV></DIV>
<DIV></DIV>> duplex auto=20
<DIV></DIV>
<DIV></DIV>> speed auto=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> ip kerberos source-interface any=20
<DIV></DIV>
<DIV></DIV>> ip nat pool legal_ip 2.2.2.3 2.2.2.10 netmask 255.255.255.0=20
<DIV></DIV>
<DIV></DIV>> ip nat inside source route-map nonat pool legal_ip overload=20
<DIV></DIV>
<DIV></DIV>> ip nat inside source static 192.168.100.5 2.2.2.15=20
<DIV></DIV>
<DIV></DIV>> ip classless=20
<DIV></DIV>
<DIV></DIV>> ip route 0.0.0.0 0.0.0.0 2.2.2.1=20
<DIV></DIV>
<DIV></DIV>> no ip http server=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> logging source-interface FastEthernet0/0=20
<DIV></DIV>
<DIV></DIV>> logging 192.168.100.11=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit tcp any host 2.2.2.15 eq smtp=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit tcp any host 2.2.2.15 eq www=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit tcp any host 2.2.2.15 eq 443=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit tcp any host 2.2.2.15 eq pop3=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit tcp any host 2.2.2.15 eq 143=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit tcp any host 2.2.2.2 eq 22=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit tcp any host 2.2.2.2 eq telnet=20
<DIV></DIV>
<DIV></DIV>> access-list 101 deny tcp any any=20
<DIV></DIV>
<DIV></DIV>> access-list 101 deny udp any any=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit icmp any any echo-reply=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit icmp any any time-exceeded=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit icmp any any packet-too-big=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit icmp any any traceroute=20
<DIV></DIV>
<DIV></DIV>> access-list 101 permit icmp any any unreachable=20
<DIV></DIV>
<DIV></DIV>> access-list 101 deny ip any any log=20
<DIV></DIV>
<DIV></DIV>> access-list 160 permit ip any any=20
<DIV></DIV>
<DIV></DIV>> no cdp run=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> route-map nonat permit 10=20
<DIV></DIV>
<DIV></DIV>> match ip address 160=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> line con 0=20
<DIV></DIV>
<DIV></DIV>> exec-timeout 0 0=20
<DIV></DIV>
<DIV></DIV>> password 7 094F471A1A0A=20
<DIV></DIV>
<DIV></DIV>> transport input none=20
<DIV></DIV>
<DIV></DIV>> line aux 0=20
<DIV></DIV>
<DIV></DIV>> password 7 070834495D1A1011=20
<DIV></DIV>
<DIV></DIV>> line vty 0 4=20
<DIV></DIV>
<DIV></DIV>> password 7 104D000A0618=20
<DIV></DIV>
<DIV></DIV>> transport input telnet ssh=20
<DIV></DIV>
<DIV></DIV>> !=20
<DIV></DIV>
<DIV></DIV>> end=20
<DIV></DIV>
<DIV></DIV>>
<DIV></DIV>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:48 GMT-3