Re: CISCO FW IOS with allowing SSH to it from outside

From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Wed Feb 14 2001 - 17:02:17 GMT-3

• Next message: Peter: "Re: Documentation CD-Rom"
• Previous message: Rampley, Jim: "RE: CISCO FW IOS with allowing SSH to it from outside"
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
RE: CISCO FW IOS with allowing SSH to it from outsideIf you don't apply =
and outbound access-list, that means you permit everything outbound with =
stateful inspection. Inbound is taken care by drilling holes in =
access-list. I don't have much luck with it so far. Telnet from inside =
works great though.

Sam
  ----- Original Message -----=20
  From: Rampley, Jim=20
  To: 'Sam Munzani' ; Ron.Fuller@3x.com=20
  Cc: ccielab@groupstudy.com ; NoOne Important ; nobody@groupstudy.com=20
  Sent: Wednesday, February 14, 2001 1:43 PM
  Subject: RE: CISCO FW IOS with allowing SSH to it from outside

  Don't you need an outbound access-list on fa0/1? I just set this up a =
few weeks back from the doc CD examples and was able to telnet both =
ways.

  Jim=20

    -----Original Message-----=20
    From: Sam Munzani [SMTP:sam@munzani.com]=20
    Sent: Tuesday, February 13, 2001 1:52 PM=20
    To: Ron.Fuller@3x.com=20
    Cc: ccielab@groupstudy.com; NoOne Important; =
nobody@groupstudy.com=20
    Subject: Re: CISCO FW IOS with allowing SSH to it from =
outside=20

    Here is my full configs with IP addresses changed a bit. Tell me =
what am I=20
    doing wrong?=20

    version 12.1=20
    no service single-slot-reload-enable=20
    service timestamps debug uptime=20
    service timestamps log uptime=20
    service password-encryption=20
    !=20
    hostname cisco=20
    !=20
    logging buffered 4096 debugging=20
    logging rate-limit console 10 except errors=20
    aaa new-model=20
    aaa authentication login default local=20
    enable password 7 045C1E031C32455A=20
    !=20
    username admin password 1234=20
    ip subnet-zero=20
    no ip source-route=20
    !=20
    !=20
    no ip finger=20
    ip domain-name xyz.com=20
    ip name-server 1.1.1.1=20
    !=20
    ip inspect max-incomplete high 1100=20
    ip inspect max-incomplete low 900=20
    ip inspect one-minute high 1100=20
    ip inspect one-minute low 900=20
    ip inspect name outbound tcp=20
    ip inspect name outbound udp=20
    ip inspect name outbound cuseeme=20
    ip inspect name outbound ftp=20
    ip inspect name outbound h323=20
    ip inspect name outbound rcmd=20
    ip inspect name outbound realaudio=20
    ip inspect name outbound smtp=20
    ip inspect name outbound streamworks=20
    ip inspect name outbound vdolive=20
    ip inspect name outbound sqlnet=20
    ip inspect name outbound tftp=20
    !=20
    ip inspect name mail smtp=20
    !=20
    ip audit notify log=20
    ip audit po max-events 100=20
    ip ssh time-out 60=20
    ip ssh authentication-retries 3=20
    !=20
    !=20
    call rsvp-sync=20
    cns event-service server=20
    !=20
    !=20
    !=20
    interface FastEthernet0/0=20
     description connection to Internal Network=20
     ip address 192.168.100.2 255.255.255.0=20
     ip nat inside=20
     duplex auto=20
     speed auto=20
    !=20
    interface FastEthernet0/1=20
     description Connection to Internet=20
     ip address 2.2.2.2 255.255.255.0=20
     ip access-group 101 in=20
     ip nat outside=20
     ip inspect outbound out=20
     ip inspect mail in=20
     duplex auto=20
     speed auto=20
    !=20
    ip kerberos source-interface any=20
    ip nat pool legal_ip 2.2.2.3 2.2.2.10 netmask 255.255.255.0=20
    ip nat inside source route-map nonat pool legal_ip overload=20
    ip nat inside source static 192.168.100.5 2.2.2.15=20
    ip classless=20
    ip route 0.0.0.0 0.0.0.0 2.2.2.1=20
    no ip http server=20
    !=20
    logging source-interface FastEthernet0/0=20
    logging 192.168.100.11=20
    access-list 101 permit tcp any host 2.2.2.15 eq smtp=20
    access-list 101 permit tcp any host 2.2.2.15 eq www=20
    access-list 101 permit tcp any host 2.2.2.15 eq 443=20
    access-list 101 permit tcp any host 2.2.2.15 eq pop3=20
    access-list 101 permit tcp any host 2.2.2.15 eq 143=20
    access-list 101 permit tcp any host 2.2.2.2 eq 22=20
    access-list 101 permit tcp any host 2.2.2.2 eq telnet=20
    access-list 101 deny tcp any any=20
    access-list 101 deny udp any any=20
    access-list 101 permit icmp any any echo-reply=20
    access-list 101 permit icmp any any time-exceeded=20
    access-list 101 permit icmp any any packet-too-big=20
    access-list 101 permit icmp any any traceroute=20
    access-list 101 permit icmp any any unreachable=20
    access-list 101 deny ip any any log=20
    access-list 160 permit ip any any=20
    no cdp run=20
    !=20
    route-map nonat permit 10=20
     match ip address 160=20
    !=20
    !=20
    !=20
    line con 0=20
     exec-timeout 0 0=20
     password 7 094F471A1A0A=20
     transport input none=20
    line aux 0=20
     password 7 070834495D1A1011=20
    line vty 0 4=20
     password 7 104D000A0618=20
     transport input telnet ssh=20
    !=20
    end=20

• Next message: Peter: "Re: Documentation CD-Rom"
• Previous message: Rampley, Jim: "RE: CISCO FW IOS with allowing SSH to it from outside"
• Maybe in reply to: Sam Munzani: "CISCO FW IOS with allowing SSH to it from outside"
• Next in thread: NoOne Important: "Re: CISCO FW IOS with allowing SSH to it from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:48 GMT-3