Re: CISCO FW IOS with allowing SSH to it from outside

From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Wed Feb 14 2001 - 17:28:44 GMT-3

• Next message: Derek Buelna: "Re: Undocumented IS-IS Commands"
• Previous message: Steven Weber: "redistribution..."
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: Rampley, Jim: "RE: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You are absolutely right. I fixed my route-map with address ranges I had =
and it worked fine. What was happening was as below.

My telnet request was reaching there but replay was getting NATed =
because of my permit any any access-list.

Thanks,
Sam
  ----- Original Message -----=20
  From: NoOne Important=20
  To: sam@munzani.com ; Rampley@agedwards.com=20
  Cc: ccielab@groupstudy.com=20
  Sent: Wednesday, February 14, 2001 2:25 PM
  Subject: Re: CISCO FW IOS with allowing SSH to it from outside

  If you have the access-list permit any any in the route-map then when =
the return traffic coming back to whereever you telnet or ssh from will =
get translated by your pool hence the tcp session got screw up. If you =
telnet or ssh from a sun machine, turn on snoop to see. Also use debug =
ip nat detail on your router to see the translation. One way is just to =
permit the inside network through access-list 160...if not you could =
deny your wan ip first then permit any any.

  =20

>From: "Sam Munzani"=20
>Reply-To: "Sam Munzani"=20
>To: "Rampley, Jim"=20
>CC:=20
>Subject: Re: CISCO FW IOS with allowing SSH to it from outside=20
>Date: Wed, 14 Feb 2001 14:02:17 -0600=20
>=20
>RE: CISCO FW IOS with allowing SSH to it from outsideIf you don't =
apply =3D=20
>and outbound access-list, that means you permit everything outbound =
with =3D=20
>stateful inspection. Inbound is taken care by drilling holes in =3D=20
>access-list. I don't have much luck with it so far. Telnet from =
inside =3D=20
>works great though.=20
>=20
>Sam=20
> ----- Original Message -----=3D20=20
> From: Rampley, Jim=3D20=20
> To: 'Sam Munzani' ; Ron.Fuller@3x.com=3D20=20
> Cc: ccielab@groupstudy.com ; NoOne Important ; =
nobody@groupstudy.com=3D20=20
> Sent: Wednesday, February 14, 2001 1:43 PM=20
> Subject: RE: CISCO FW IOS with allowing SSH to it from outside=20
>=20
>=20
>=20
>=20
> Don't you need an outbound access-list on fa0/1? I just set this up =
a =3D=20
>few weeks back from the doc CD examples and was able to telnet both =
=3D=20
>ways.=20
>=20
> Jim=3D20=20
>=20
>=20
>=20
> -----Original Message-----=3D20=20
> From: Sam Munzani [SMTP:sam@munzani.com]=3D20=20
> Sent: Tuesday, February 13, 2001 1:52 PM=3D20=20
> To: Ron.Fuller@3x.com=3D20=20
> Cc: ccielab@groupstudy.com; NoOne Important; =3D=20
>nobody@groupstudy.com=3D20=20
> Subject: Re: CISCO FW IOS with allowing SSH to it from =3D=20
>outside=3D20=20
>=20
> Here is my full configs with IP addresses changed a bit. Tell me =3D =

>what am I=3D20=20
> doing wrong?=3D20=20
>=20
> version 12.1=3D20=20
> no service single-slot-reload-enable=3D20=20
> service timestamps debug uptime=3D20=20
> service timestamps log uptime=3D20=20
> service password-encryption=3D20=20
> !=3D20=20
> hostname cisco=3D20=20
> !=3D20=20
> logging buffered 4096 debugging=3D20=20
> logging rate-limit console 10 except errors=3D20=20
> aaa new-model=3D20=20
> aaa authentication login default local=3D20=20
> enable password 7 045C1E031C32455A=3D20=20
> !=3D20=20
> username admin password 1234=3D20=20
> ip subnet-zero=3D20=20
> no ip source-route=3D20=20
> !=3D20=20
> !=3D20=20
> no ip finger=3D20=20
> ip domain-name xyz.com=3D20=20
> ip name-server 1.1.1.1=3D20=20
> !=3D20=20
> ip inspect max-incomplete high 1100=3D20=20
> ip inspect max-incomplete low 900=3D20=20
> ip inspect one-minute high 1100=3D20=20
> ip inspect one-minute low 900=3D20=20
> ip inspect name outbound tcp=3D20=20
> ip inspect name outbound udp=3D20=20
> ip inspect name outbound cuseeme=3D20=20
> ip inspect name outbound ftp=3D20=20
> ip inspect name outbound h323=3D20=20
> ip inspect name outbound rcmd=3D20=20
> ip inspect name outbound realaudio=3D20=20
> ip inspect name outbound smtp=3D20=20
> ip inspect name outbound streamworks=3D20=20
> ip inspect name outbound vdolive=3D20=20
> ip inspect name outbound sqlnet=3D20=20
> ip inspect name outbound tftp=3D20=20
> !=3D20=20
> ip inspect name mail smtp=3D20=20
> !=3D20=20
> ip audit notify log=3D20=20
> ip audit po max-events 100=3D20=20
> ip ssh time-out 60=3D20=20
> ip ssh authentication-retries 3=3D20=20
> !=3D20=20
> !=3D20=20
> call rsvp-sync=3D20=20
> cns event-service server=3D20=20
> !=3D20=20
> !=3D20=20
> !=3D20=20
> interface FastEthernet0/0=3D20=20
> description connection to Internal Network=3D20=20
> ip address 192.168.100.2 255.255.255.0=3D20=20
> ip nat inside=3D20=20
> duplex auto=3D20=20
> speed auto=3D20=20
> !=3D20=20
> interface FastEthernet0/1=3D20=20
> description Connection to Internet=3D20=20
> ip address 2.2.2.2 255.255.255.0=3D20=20
> ip access-group 101 in=3D20=20
> ip nat outside=3D20=20
> ip inspect outbound out=3D20=20
> ip inspect mail in=3D20=20
> duplex auto=3D20=20
> speed auto=3D20=20
> !=3D20=20
> ip kerberos source-interface any=3D20=20
> ip nat pool legal_ip 2.2.2.3 2.2.2.10 netmask 255.255.255.0=3D20=20
> ip nat inside source route-map nonat pool legal_ip overload=3D20=20
> ip nat inside source static 192.168.100.5 2.2.2.15=3D20=20
> ip classless=3D20=20
> ip route 0.0.0.0 0.0.0.0 2.2.2.1=3D20=20
> no ip http server=3D20=20
> !=3D20=20
> logging source-interface FastEthernet0/0=3D20=20
> logging 192.168.100.11=3D20=20
> access-list 101 permit tcp any host 2.2.2.15 eq smtp=3D20=20
> access-list 101 permit tcp any host 2.2.2.15 eq www=3D20=20
> access-list 101 permit tcp any host 2.2.2.15 eq 443=3D20=20
> access-list 101 permit tcp any host 2.2.2.15 eq pop3=3D20=20
> access-list 101 permit tcp any host 2.2.2.15 eq 143=3D20=20
> access-list 101 permit tcp any host 2.2.2.2 eq 22=3D20=20
> access-list 101 permit tcp any host 2.2.2.2 eq telnet=3D20=20
> access-list 101 deny tcp any any=3D20=20
> access-list 101 deny udp any any=3D20=20
> access-list 101 permit icmp any any echo-reply=3D20=20
> access-list 101 permit icmp any any time-exceeded=3D20=20
> access-list 101 permit icmp any any packet-too-big=3D20=20
> access-list 101 permit icmp any any traceroute=3D20=20
> access-list 101 permit icmp any any unreachable=3D20=20
> access-list 101 deny ip any any log=3D20=20
> access-list 160 permit ip any any=3D20=20
> no cdp run=3D20=20
> !=3D20=20
> route-map nonat permit 10=3D20=20
> match ip address 160=3D20=20
> !=3D20=20
> !=3D20=20
> !=3D20=20
> line con 0=3D20=20
> exec-timeout 0 0=3D20=20
> password 7 094F471A1A0A=3D20=20
> transport input none=3D20=20
> line aux 0=3D20=20
> password 7 070834495D1A1011=3D20=20
> line vty 0 4=3D20=20
> password 7 104D000A0618=3D20=20
> transport input telnet ssh=3D20=20
> !=3D20=20
> end=3D20=20
>=20

• Next message: Derek Buelna: "Re: Undocumented IS-IS Commands"
• Previous message: Steven Weber: "redistribution..."
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: Rampley, Jim: "RE: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:48 GMT-3