09-21-2004 01:32 PM - edited 03-02-2019 06:39 PM
We just setup a ftp server behind the Cisco router 831. We find that we can use SDM to access the router from any public IPs. Can we limit it to a range IPs? From the telnet command lines, I can't tell which is for managing accessing SDM. However, from SDM, there are two rules: SDM_DEFAULT_194 Extended permit HTTPS traffic and SDM_DEFAULT_195 Extended permit HTTP traffic, but can't edit them (see attached). Any suggestions?
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name cisco.com
ip name-server 4.2.2.1
ip dhcp excluded-address 172.16.5.1 172.16.5.5
!
ip dhcp pool sdm-pool1
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 MS-mvps address x.x.x.197
crypto isakmp key 0 MS-mvps address 67.173.153.152
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.197
set peer x.x.x.197
set transform-set SDM_TRANSFORMSET_1
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 67.173.153.152
set peer 67.173.153.152
set transform-set SDM_TRANSFORMSET_2
match address 103
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address x.x.x.208 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
no cdp enable
crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_2 interface Ethernet1 overload
ip nat inside source static tcp 172.16.5.2 21 interface Ethernet1 21
ip nat inside source static tcp 172.16.5.2 1723 interface Ethernet1 1723
ip nat inside source static tcp 172.16.5.2 3389 interface Ethernet1 3389
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.193 permanent
ip http server
ip http authentication local
ip http secure-server
!
logging trap debugging
logging 172.16.5.1
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 172.16.5.0 0.0.0.255
access-list 10 permit 172.16.5.2
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip x.x.x.192 0.0.0.31 172.16.5.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny ip 172.16.5.0 0.0.0.255 host 67.173.153.152
access-list 102 deny ip x.x.x.192 0.0.0.31 172.16.5.0 0.0.0.255
access-list 102 permit ip 172.16.5.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.5.0 0.0.0.255 host 67.173.153.152
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 120
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
Solved! Go to Solution.
09-21-2004 11:47 PM
Hello,
here is the relevant Q&A from CCO:
. How am I ensured that Cisco SDM is a secure management tool?
A. Several safeguards are used to help ensure that access to a Cisco router with Cisco SDM is secure:
· Restricted Cisco SDM clients-The hosts that are allowed to access Cisco SDM (and the HTTP server) can be configured by System Properties in advanced mode, or through Security Audit in wizard mode.
· Signed applets-Cisco SDM is a Cisco signed applet; users must explicitly permit the download of the applet to their workstation.
· HTTPS (Secure Sockets Layer [SSL])-Cisco SDM detects the presence of the SSL support in the HTTP server and recommends to users that they use the HTTPS protocol. With this choice the communication between your workstation and the Cisco router is secured with the SSL. Supported in most browsers, SSL enables information to be encrypted through the 56-bit Data Encryption Standard (DES) or the more secure 168-bit Triple DES (3DES).
I do not have a platform to test this on. Check this link to the ´Cisco Router and Security Device Manager
2.0 Users Guide´, scroll down to the section ´Security Audit--> Configure User Accounts for Telnet Page´ section:
HTH,
Georg
09-21-2004 11:47 PM
Hello,
here is the relevant Q&A from CCO:
. How am I ensured that Cisco SDM is a secure management tool?
A. Several safeguards are used to help ensure that access to a Cisco router with Cisco SDM is secure:
· Restricted Cisco SDM clients-The hosts that are allowed to access Cisco SDM (and the HTTP server) can be configured by System Properties in advanced mode, or through Security Audit in wizard mode.
· Signed applets-Cisco SDM is a Cisco signed applet; users must explicitly permit the download of the applet to their workstation.
· HTTPS (Secure Sockets Layer [SSL])-Cisco SDM detects the presence of the SSL support in the HTTP server and recommends to users that they use the HTTPS protocol. With this choice the communication between your workstation and the Cisco router is secured with the SSL. Supported in most browsers, SSL enables information to be encrypted through the 56-bit Data Encryption Standard (DES) or the more secure 168-bit Triple DES (3DES).
I do not have a platform to test this on. Check this link to the ´Cisco Router and Security Device Manager
2.0 Users Guide´, scroll down to the section ´Security Audit--> Configure User Accounts for Telnet Page´ section:
HTH,
Georg
09-22-2004 12:39 PM
Hi georg,
After followed the instruction and re-configured the router, it works. Thank you every much.
09-23-2004 12:11 AM
Hi,
You need to take a look at the "Managemet Access" feature in SDM. If you are using SDM 1.1/ SDM 1.2, please go to System Properties - > Management Access.
If you are using SDM 2.0, please go to Additional Tasks -> Management Access.
You can restrict the access to SDM to specific set of users using this feature.
Thanks,
Ravikumar
09-23-2004 06:05 AM
Thank you, Ravikumar.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide