12-28-2013 10:10 AM - edited 03-04-2019 09:57 PM
Hi,
I've recently got a Cisco 887va. I have followed this guide to setting the ADSL2+ up and it worked fine:
https://supportforums.cisco.com/message/3578292#3578292
My 887va is also on 192.168.1.1
I can get out onto the internet - everything is working great.
What I want to do now is to be able to access my router remotely for SSH over the internet. (At another office).
I would therefore like to SSH to the dialer0 interface and have it connect to my 192.168.0.1 IP
I understand I need a NAT statement but i'm confused if I need an ACL or a Firewall rule (or both).
Is it possible someone could give me an example of how to do this correctly?
My 887va needs to be as secure as possible so I want to restrict the remote access to 2 IPs that I know and own at remote offices and for the ssh protocol only. Nobody else external should access this.
I very much look forward to your help.
John.
12-30-2013 06:48 AM
I've just done an internal scan using nmap and only 22 and 443 ports show as open. Therefore I think from an external point of view everyhting should be OK and no firewall required?
I presume it's not 'wrong' to place an ADSL router on the internet with the dialier0 wan interface only protected via ACLs?
12-30-2013 06:58 AM
Hi,
As long as the internal network is protected by a firewall this is no problem.
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 07:38 AM
Oh - no - my internal network (machines, laptops/phones) get a 192.168.0.1 IP directly from the 887va so there would not be a firewall there.
I'm guessing this must be OK - the majority of configs i've seen on this forum for the 887va does not have the firewall settings enabled?
12-30-2013 07:41 AM
Hi,
as long as there is only dynamic nat overload, it shouldn't be a problem for your internal network.
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 08:06 AM
Yes that's correct for my config - interesting bits below. So everything should be OK?
With this I will have allowed SSH, HTTPS and SNMP from my 2 Head Office IPs to the dialier0 interface of my 887va router and no other external IPs should have any access into my network from the internet. My intenral network (192.168.0.1) should be secure because I only have the nat overload command. The commands should also allow my 192.168.0.1 users outbound internet access on all ports.
Hopefully this below has cracked it and does everything I want?
(Interesting bits only).
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
interface Dialer0
ip nat outside
no ip http server
ip http access-class 10
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 10 permit xx.xx.xx.xx
access-list 10 permit yy.yy.yy.yy
access-list 10 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
snmp-server community nagios-svr RO 10
line vty 0 4
access-class 10 in
transport input ssh
12-30-2013 08:33 AM
Hi,
Correct it achieves what you want.
Regards
Alain
Don't forget to rate helpful posts.
12-30-2013 08:57 AM
Excellent - I will test and update this thread. Thank you.
01-01-2014 06:24 AM
Hi,
did you test the config ?
Regards
Alain
Don't forget to rate helpful posts.
01-03-2014 06:28 AM
Hi,
I tested the ADSL part today whch worked (so I could get outbound).
I've tested SSH remotely and that worked (thank you).
I need to scan it remotely to check all other ports are closed correctly and will then update again.
Thanks,
01-09-2014 01:18 AM
Hi,
I have managed to run an NMAP scan externally.
First my ssh and snmp and https access lists worked fine thank you.
However I've noticed the following - Nmap shows these ports as open:
53 - tcp - open
1720 - tcp - filtered
1863 - tcp - open
5190 - tcp - open
I'd be interested to know why that is and how to stop them and if it's anything to worry about.
01-09-2014 02:29 AM
Actually just checked more udp and dns, time and snmp are open to all
53/udp open|filtered domain
123/udp open ntp
161/udp open snmp
Show run of applicable settings:
!
ntp server 1.uk.pool.ntp.org
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 10 permit xx.xx.xx.xx(an external IP I own)
access-list 10 permit yy.yy.yy.yy(an external IP I own)
access-list 10 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
snmp-server community nagios-SVR RO 10
ip dhcp pool myDHCPpool
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
!
!
!
ip domain name xxxxx.com
ip name-server 8.8.8.8
line vty 0 4
access-class 10 in
password 7 xxxxxxxxxx
login authentication local_auth
transport input ssh
01-10-2014 12:10 AM
Just wondered if anyone had any thoughts on this? Thank you.
01-10-2014 01:58 AM
Hi,
How did you check open ports and what were they from inside and outside ? Nmap internally and externally ?
Regards
Alain
Don't forget to rate helpful posts.
01-10-2014 02:34 AM
Hi,
Thank you for your reply.
From a completely serparate Internet connection and IP I tested over the internet to the WAN IP of the box.
So the test was external - much like I could run from my home for example.
01-11-2014 02:35 AM
I have opened another thread as it probably warrants its own thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide