RE: CISCO FW IOS with allowing SSH to it from outside

From: Rampley, Jim (Jim.Rampley@xxxxxxxxxxxxx)
Date: Wed Feb 14 2001 - 19:03:04 GMT-3

   

The documentation says that the access-list identifies what traffic would be
processed by CBAC. The way I interpret that is if you don't use an
access-list you will never identify traffic to be processed by CBAC,
permit=CBAC inspected. If this theory holds true you should be able to do
some debugging and see if anything is being processed by CBAC. Maybe try
doing a debug ip inspect events or a show ip inspect session.

You might try applying something like this outbound on fa0/1. If you have
other subnets on your internal network you would have to add them to. This
access-list also gives you anti-spoofing.

access-list 101 permit tcp 2.2.2.0 0.0.0 255 any
access-list 101 permit udp 2.2.2.0 0.0.0.255 any
access-list 101 permit icmp 2.2.2.0 0.0.0.255 any
access-list 101 deny ip any any

Jim

> -----Original Message-----
> From: Sam Munzani [SMTP:sam@munzani.com]
> Sent: Wednesday, February 14, 2001 2:02 PM
> To: Rampley, Jim
> Cc: ccielab@groupstudy.com
> Subject: Re: CISCO FW IOS with allowing SSH to it from outside
>
> If you don't apply and outbound access-list, that means you permit
> everything outbound with stateful inspection. Inbound is taken care by
> drilling holes in access-list. I don't have much luck with it so far.
> Telnet from inside works great though.
>
> Sam
>
> ----- Original Message -----
> From: Rampley, Jim <mailto:Jim.Rampley@agedwards.com>
> To: 'Sam Munzani' <mailto:sam@munzani.com> ; Ron.Fuller@3x.com
> <mailto:Ron.Fuller@3x.com>
> Cc: ccielab@groupstudy.com <mailto:ccielab@groupstudy.com> ; NoOne
> Important <mailto:lm_nguyen@hotmail.com> ; nobody@groupstudy.com
> <mailto:nobody@groupstudy.com>
> Sent: Wednesday, February 14, 2001 1:43 PM
> Subject: RE: CISCO FW IOS with allowing SSH to it from outside
>
>
>
> Don't you need an outbound access-list on fa0/1? I just set this up
> a few weeks back from the doc CD examples and was able to telnet both
> ways.
>
> Jim
>
>
> -----Original Message-----
> From: Sam Munzani [SMTP:sam@munzani.com]
> Sent: Tuesday, February 13, 2001 1:52 PM
> To: Ron.Fuller@3x.com <mailto:Ron.Fuller@3x.com>
> Cc: ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>;
> NoOne Important; nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> Subject: Re: CISCO FW IOS with allowing SSH to it from
> outside
>
> Here is my full configs with IP addresses changed a bit.
> Tell me what am I
> doing wrong?
>
> version 12.1
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname cisco
> !
> logging buffered 4096 debugging
> logging rate-limit console 10 except errors
> aaa new-model
> aaa authentication login default local
> enable password 7 045C1E031C32455A
> !
> username admin password 1234
> ip subnet-zero
> no ip source-route
> !
> !
> no ip finger
> ip domain-name xyz.com
> ip name-server 1.1.1.1
> !
> ip inspect max-incomplete high 1100
> ip inspect max-incomplete low 900
> ip inspect one-minute high 1100
> ip inspect one-minute low 900
> ip inspect name outbound tcp
> ip inspect name outbound udp
> ip inspect name outbound cuseeme
> ip inspect name outbound ftp
> ip inspect name outbound h323
> ip inspect name outbound rcmd
> ip inspect name outbound realaudio
> ip inspect name outbound smtp
> ip inspect name outbound streamworks
> ip inspect name outbound vdolive
> ip inspect name outbound sqlnet
> ip inspect name outbound tftp
> !
> ip inspect name mail smtp
> !
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 3
> !
> !
> call rsvp-sync
> cns event-service server
> !
> !
> !
> interface FastEthernet0/0
> description connection to Internal Network
> ip address 192.168.100.2 255.255.255.0
> ip nat inside
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> description Connection to Internet
> ip address 2.2.2.2 255.255.255.0
> ip access-group 101 in
> ip nat outside
> ip inspect outbound out
> ip inspect mail in
> duplex auto
> speed auto
> !
> ip kerberos source-interface any
> ip nat pool legal_ip 2.2.2.3 2.2.2.10 netmask 255.255.255.0
> ip nat inside source route-map nonat pool legal_ip overload
> ip nat inside source static 192.168.100.5 2.2.2.15
> ip classless
> ip route 0.0.0.0 0.0.0.0 2.2.2.1
> no ip http server
> !
> logging source-interface FastEthernet0/0
> logging 192.168.100.11
> access-list 101 permit tcp any host 2.2.2.15 eq smtp
> access-list 101 permit tcp any host 2.2.2.15 eq www
> access-list 101 permit tcp any host 2.2.2.15 eq 443
> access-list 101 permit tcp any host 2.2.2.15 eq pop3
> access-list 101 permit tcp any host 2.2.2.15 eq 143
> access-list 101 permit tcp any host 2.2.2.2 eq 22
> access-list 101 permit tcp any host 2.2.2.2 eq telnet
> access-list 101 deny tcp any any
> access-list 101 deny udp any any
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any packet-too-big
> access-list 101 permit icmp any any traceroute
> access-list 101 permit icmp any any unreachable
> access-list 101 deny ip any any log
> access-list 160 permit ip any any
> no cdp run
> !
> route-map nonat permit 10
> match ip address 160
> !
> !
> !
> line con 0
> exec-timeout 0 0
> password 7 094F471A1A0A
> transport input none
> line aux 0
> password 7 070834495D1A1011
> line vty 0 4
> password 7 104D000A0618
> transport input telnet ssh
> !
> end
>

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:48 GMT-3