Solved: Re: Remote access 831 router using SDM

blin · ‎09-21-2004

We just setup a ftp server behind the Cisco router 831. We find that we can use SDM to access the router from any public IPs. Can we limit it to a range IPs? From the telnet command lines, I can't tell which is for managing accessing SDM. However, from SDM, there are two rules: SDM_DEFAULT_194 Extended permit HTTPS traffic and SDM_DEFAULT_195 Extended permit HTTP traffic, but can't edit them (see attached). Any suggestions?

no aaa new-model

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

ip domain name cisco.com

ip name-server 4.2.2.1

ip dhcp excluded-address 172.16.5.1 172.16.5.5

!

ip dhcp pool sdm-pool1

network 172.16.5.0 255.255.255.0

default-router 172.16.5.1

!

no ip bootp server

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 0 MS-mvps address x.x.x.197

crypto isakmp key 0 MS-mvps address 67.173.153.152

!

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac

crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to x.x.x.197

set peer x.x.x.197

set transform-set SDM_TRANSFORMSET_1

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to 67.173.153.152

set peer 67.173.153.152

set transform-set SDM_TRANSFORMSET_2

match address 103

!

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$

ip address 172.16.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ETH-WAN$

ip address x.x.x.208 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

no cdp enable

crypto map SDM_CMAP_1

!

ip nat inside source route-map SDM_RMAP_2 interface Ethernet1 overload

ip nat inside source static tcp 172.16.5.2 21 interface Ethernet1 21

ip nat inside source static tcp 172.16.5.2 1723 interface Ethernet1 1723

ip nat inside source static tcp 172.16.5.2 3389 interface Ethernet1 3389

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.193 permanent

ip http server

ip http authentication local

ip http secure-server

!

logging trap debugging

logging 172.16.5.1

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 172.16.5.0 0.0.0.255

access-list 10 permit 172.16.5.2

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip x.x.x.192 0.0.0.31 172.16.5.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 remark SDM_ACL Category=2

access-list 102 remark IPSec Rule

access-list 102 deny ip 172.16.5.0 0.0.0.255 host 67.173.153.152

access-list 102 deny ip x.x.x.192 0.0.0.31 172.16.5.0 0.0.0.255

access-list 102 permit ip 172.16.5.0 0.0.0.255 any

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 172.16.5.0 0.0.0.255 host 67.173.153.152

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 120

!

route-map SDM_RMAP_2 permit 1

match ip address 102

!

banner login ^CCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

Georg Pauwen · ‎09-21-2004

Hello,

here is the relevant Q&A from CCO:

. How am I ensured that Cisco SDM is a secure management tool?

A. Several safeguards are used to help ensure that access to a Cisco router with Cisco SDM is secure:

· Restricted Cisco SDM clients-The hosts that are allowed to access Cisco SDM (and the HTTP server) can be configured by System Properties in advanced mode, or through Security Audit in wizard mode.

· Signed applets-Cisco SDM is a Cisco signed applet; users must explicitly permit the download of the applet to their workstation.

· HTTPS (Secure Sockets Layer [SSL])-Cisco SDM detects the presence of the SSL support in the HTTP server and recommends to users that they use the HTTPS protocol. With this choice the communication between your workstation and the Cisco router is secured with the SSL. Supported in most browsers, SSL enables information to be encrypted through the 56-bit Data Encryption Standard (DES) or the more secure 168-bit Triple DES (3DES).

I do not have a platform to test this on. Check this link to the ´Cisco Router and Security Device Manager

2.0 User’s Guide´, scroll down to the section ´Security Audit--> Configure User Accounts for Telnet Page´ section:

http://www.cisco.com/application/pdf/en/us/guest/products/ps5318/c1626/ccmigration_09186a00802d0d61.pdf

HTH,

Georg

www.solutionfinders.nl

View solution in original post

Georg Pauwen · ‎09-21-2004

Hello,

here is the relevant Q&A from CCO:

. How am I ensured that Cisco SDM is a secure management tool?

A. Several safeguards are used to help ensure that access to a Cisco router with Cisco SDM is secure:

· Restricted Cisco SDM clients-The hosts that are allowed to access Cisco SDM (and the HTTP server) can be configured by System Properties in advanced mode, or through Security Audit in wizard mode.

· Signed applets-Cisco SDM is a Cisco signed applet; users must explicitly permit the download of the applet to their workstation.

· HTTPS (Secure Sockets Layer [SSL])-Cisco SDM detects the presence of the SSL support in the HTTP server and recommends to users that they use the HTTPS protocol. With this choice the communication between your workstation and the Cisco router is secured with the SSL. Supported in most browsers, SSL enables information to be encrypted through the 56-bit Data Encryption Standard (DES) or the more secure 168-bit Triple DES (3DES).

I do not have a platform to test this on. Check this link to the ´Cisco Router and Security Device Manager

2.0 User’s Guide´, scroll down to the section ´Security Audit--> Configure User Accounts for Telnet Page´ section:

http://www.cisco.com/application/pdf/en/us/guest/products/ps5318/c1626/ccmigration_09186a00802d0d61.pdf

HTH,

Georg

www.solutionfinders.nl

blin · ‎09-22-2004

Hi georg,

After followed the instruction and re-configured the router, it works. Thank you every much.

reswaran · ‎09-23-2004

Hi,

You need to take a look at the "Managemet Access" feature in SDM. If you are using SDM 1.1/ SDM 1.2, please go to System Properties - > Management Access.

If you are using SDM 2.0, please go to Additional Tasks -> Management Access.

You can restrict the access to SDM to specific set of users using this feature.

Thanks,

Ravikumar

blin · ‎09-23-2004

Thank you, Ravikumar.