12-28-2013 10:10 AM - edited 03-04-2019 09:57 PM
Hi,
I've recently got a Cisco 887va. I have followed this guide to setting the ADSL2+ up and it worked fine:
https://supportforums.cisco.com/message/3578292#3578292
My 887va is also on 192.168.1.1
I can get out onto the internet - everything is working great.
What I want to do now is to be able to access my router remotely for SSH over the internet. (At another office).
I would therefore like to SSH to the dialer0 interface and have it connect to my 192.168.0.1 IP
I understand I need a NAT statement but i'm confused if I need an ACL or a Firewall rule (or both).
Is it possible someone could give me an example of how to do this correctly?
My 887va needs to be as secure as possible so I want to restrict the remote access to 2 IPs that I know and own at remote offices and for the ssh protocol only. Nobody else external should access this.
I very much look forward to your help.
John.
12-29-2013 09:22 AM
Hi,
if you want to access your router remotely for management with ssh from 2 Public IPs and internally, I suppose ssh is already configured:
access-list 10 permit host x.x.x.x
access-list 10 permit host y.y.y.y
access-list 10 permit 192.168.1.0 0.0.0.255
line vty 0 15
login local
transport input ssh
access-class 10 in
Now if you want to ssh to an internal machine from the 2 public IPs and internally, you'l need to configure static PAT(aka port forwarding) and either use CBAC or ZFW, if this is the case I will provide you a basic firewall config along with NAT.
Regards
Alain
Don't forget to rate helpful posts.
12-29-2013 10:49 AM
Thank you very much. Yes SSH is already configured and working well fromt the inside.
I've a few questions - hopefully you can help to clarify.
With the ACL list you have provided (and acl 'in' statement under the SSH section) do I still require a NAT statement for my dialer0 interface to my 192.168.1.1 router address or is the NAT statement not required - does the ACL work without? What should the NAT statement be if so?
Yes that would be great if you can give me the basic firewall and PAT information as I will want to do this as well. (I'll likely be having a web server so allowing 80 and 443 but to restricted sites. The web server will eventually sit on 192.168.1.2
I would also like to allow HTTPS as well as SSH so we can view the web interface as well as PING to perform a basic check - again these need to be restricted to the 2 internet IPs - the destination will be the router IP of 192.168.1.1
I very much look forward to your response and will rate as helpful.
Thanks.
EDIT: I had asked the ping question separately - not sure where it is best to answer it: https://supportforums.cisco.com/thread/2258656
12-29-2013 12:45 PM
Hi,
With the ACL list you have provided (and acl 'in' statement under the SSH section) do I still require a NAT statement for my dialer0 interface to my 192.168.1.1 router address or is the NAT statement not required - does the ACL work without? What should the NAT statement be if so?
You won't need NAT because you'll be sshing to the public IP of your router.
You will need to ssh to FQDN provided by no-ip.org or dyndns.org because you have a dynamic IP through PPP.
here is a thread discussing the dyndns configuration: https://supportforums.cisco.com/thread/2167081
Yes that would be great if you can give me the basic firewall and PAT information as I will want to do this as well. (I'll likely be having a web server so allowing 80 and 443 but to restricted sites. The web server will eventually sit on 192.168.1.2
here is a config example for the static PAT:
int vlan1
ip nat inside
int dialer0
ip nat outside
ip nat inside source static tcp 192.168.1.2 80 interface dialer0 80
ip nat inside source static tcp 192.168.1.2 443 interface dialer0 4430
no ip http server
ip http secure-server
I would also like to allow HTTPS as well as SSH so we can view the web interface as well as PING to perform a basic check - again these need to be restricted to the 2 internet IPs - the destination will be the router IP of 192.168.1.1
for securing https access to router you can use the same access-class like this:
ip http access-class 10
Now for firewall config,you could do something like this:
ip access-list extended Outside-Inside-acl
permit tcp host x.x.x.x host 192.168.1.2 eq https
permit tcp host x.x.x.x host 192.168.1.2 eq http
ip access-list extended Outside-Mgmt-acl
permit tcp host x.x.x.x any eq 443
permit tcp host x.x.x.x any eq 22
permit tcp host y.y.y.y any eq 443
permit tcp host y.y.y.y any eq 22
zone security Inside
zone security Outside
int vlan1
zone-member security Inside
int dialer 0
zone-member security Outside
class-map type inspect match-any Inside-Outside-class
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any Outside-Inside-class
match access-group name Outside-Inside-acl
class-map type inspect match-any Outside-Mgmt-class
match access-group name Outside-Mgmt-acl
policy-map type inspect Inside-Outside-policy
class type inspect Inside-Outside-class
inspect
class class-default
drop
policy-map type inspect Outside-Inside-policy
class type inspect Outside-Inside-class
inspect
class class-default
drop
policy-map type inspect Outside-Mgmt-policy
class type inspect Outside-Mgmt-class
inspect
class class-default
drop
zone-pair security Outside-Inside source Outside destination Inside
service-policy type inspect Outside-Inside-policy
zone-pair security Inside-Outside source Inside destination Outside
service-policy type inspect Inside-Outside-policy
zone-pair security Outside-self source Outside destination self
service-policy type inspect Outside-Mgmt-policy
Regards
Alain
Don't forget to rate helpful posts.
12-29-2013 02:53 PM
Again thank you.
Just a few points to clarify:
When you say 'You won't need NAT because you'll be sshing to the public IP of your router' is that because it does some kind of nat behind the scenes? - and therefore don't need a nat statement for this?
ip http access-class 10 - where would this statement go?
Does your firewall part include icmp?
Lastly i'm confused why I would use ACLs and not firewall rules. (I come from a firewall background, just not Cisco - hence my earlier NAT question about the mgmt interface). Is it possible to use firewall rules as well (or instead of acl) for the management access to the router for ssh, https and icmp from 2 known external IPs?
12-30-2013 01:51 AM
Hi,
you don't need NAT to access your device from public location as it has a WAN public IP
the ip http access-class is a configuration mode command
yes, the firewall config I provided takes icmp,ssh and https access to router into account.
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 02:07 AM
Thank you.
So I've learnt that for the WAN public IP of the router no NAT statement is required but for additional IPs then a NAT statement would be required.
Can you clarify this point - why would I use ACLs for the Management access instead of firewall rules - what's the benefit?
12-30-2013 02:39 AM
Hi,
using access-class for http/https and telnet/ssh is less demanding on the router than using firewall feature.
And also easier to configure.
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 02:53 AM
Excellent thanks. That makes sense - I want my router to be as secure as possible but at the same time I want the performance and don't want to make it CPU intensive so I will not use the firewall feature for now.
I have got the following configured now on my Router:
no ip http server
ip http access-class 10
ip http secure-server
access-list 10 permit xx.xx.xx.xx (external IP 1 of my head office over the internet)
access-list 10 permit yy.yy.yy.yy (external IP 2 of my head office over the internet)
access-list 10 permit 192.168.1.0 0.0.0.255 (my internal vlan1 network and what the router sits on).
line vty 0 4
access-class 10 in
password 7 ***********
login authentication local_auth
transport input ssh
I've not tested this yet as I need to visit my remote office.
Now finally - How do i allow ping to the WAN IP (to check it is up and wokring remotely) with an ACL?
12-30-2013 04:00 AM
Hi,
for this you would have to use an inbound ACL on the WAN interface but in this case you'd be better with a firewall config because ACLs are stateless so if you permit your icmp and deny everything else you will also deny return traffic in response to LAN initiated traffic.
You could in this case use CBAC:
ip inspect name myfirewall tcp
ip inspect myfirewall udp
ip inspect myfirewall icmp
ip access-list extended remote-access
permit icmp host x.x.x.x any echo
permit icmp host y.y.y.y any echo
permit tcp host x.x.x.x any eq ssh
permit tcp host y.y.y.y any eq ssh
permit tcp host x.x.x.x any eq https
permit tcp host y.y.y.y any eq https
deny ip any any
int dialer0
ip access-group remote-access in
int vlan 1
ip inspect myfirewall out
As you can see here the problem is that as your WAN IP is dynamic so you must specify any as destination in your inbound ACL which opens up corresponding access to any forwarded address for the http(s)/ssh protocols.
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 04:23 AM
Hmm I'm a bit lost now.
So the config above would replace any of the previous ways of allowing https and ssh as well?
My WAN IP if fixed from my ISP - can i just put 'dialer0' instead of 'any'?
Edit: I said I wanted to allow ping before but if SNMP can be done via ACL I think that would be OK to avoid having to set up the firewall and allowing ping.
12-30-2013 05:17 AM
Hi,
if you have a static IP on the WAN interface then of course you can explictly allow traffic to this IP instaed of using any keyword.
of course you can restrict SNMP access to some IPs with access-list.
So if you only want to restrict access for Management of your router you don't specifically need an ACL or firewall feature but you can use access-list specifying legitimate IP addresses and use this ACL with http/https( ip http access-class),telnet/ssh( access-class under vty line) and SNMP( access-list with snmp-server command).
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 05:28 AM
That's great thanks.
So my config now looks like this. I hope it will allow me to SSH, HTTPs and SNMP into it via both the internal 192.168.0.1 address range AND 2 external IPs at my head office via the WAN port. I hope it blocks everything else incoming so if you were to port scan you would not see any open ports.
Is that the correct assumption and does the code now look accurate?
no ip http server
ip http access-class 10
ip http secure-server
access-list 10 permit xx.xx.xx.xx (external IP 1 of my head office over the internet)
access-list 10 permit yy.yy.yy.yy (external IP 2 of my head office over the internet)
access-list 10 permit 192.168.1.0 0.0.0.255 (my internal vlan1 network and what the router sits on).
snmp-server community nagios-svr RO 10 (where 10 is the access list so it allows those IPs in?)
snmp-server location xxxxx
snmp-server contact xxxxxxx
line vty 0 4
access-class 10 in
password 7 ***********
login authentication local_auth
transport input ssh
12-30-2013 05:52 AM
Hi,
I hope it blocks everything else incoming so if you were to port scan you would not see any open ports.
No, it just won't let any other IP access https/ssh/snmp on the router.
if you want to hide open ports from scan then you need a firewall and disable unneeded services.
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 06:17 AM
Ah OK. I perhaps will need a firewall after all then (or deny ACL for the other services ports available) - otherwise it will fail an external audit - usually a Nessus scan and nmap - i presume loads will show as open wihout? Would ACL be enough for the ports to not show on a Nessus report or does that HAVE to be a firewall?
Thank you for your help and sorry for all the questions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide