Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3504
Views
0
Helpful
20
Replies

access list issue and ip route

Go to solution
malai.joseph
Level 1
Level 1

‎05-02-2011 03:59 AM - edited ‎03-04-2019 12:14 PM

Hi

Have cisco router 1921 and 3 cisco switch 3560G

i want to configure the cisco router so as network 192.168.4.0/26,192.168.3.0/26,192.168.2.0/26, all to access internet

R1921(config)# ip nat inside source list 102 int G0/0 overload
R1921(config)# access-list 102 permit ip ?

I am i right to do this below?

R1921(config)# ip route 192.168.4.0/26 10.10.10.2
R1921(config)# ip route 192.168.3.0/26 10.10.10.2
R1921(config)# ip route 192.168.2.0/26 10.10.10.2

kindly assist on access-list and ip route?

thanks all

Jo

Labels:
Preview file
71 KB
0 Helpful
20 Replies 20

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-03-2011 02:08 AM

Hi Joseph,

i dont know if it support ssh?

You need a crypto image to support ssh but you can also verify by doing this command: ip ssh ver in global config and if you want to know if a feature is supported by your IOS/architecture just go on Cisco feature navigator site : http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

If your router supports ssh, in order to use it you must:

1) give a hostname to your router with the global config hostname command

2) configure a domain name with the global config ip domain-name command

3) configure a local user with the global config  username xxx  privilege xx secret xxx  command

how to insert username and password for ssh on router?

The 3rd action answers this question

4) generate a  rsa key with the global config  crypto key generate rsa modulus 1024 command

5) optionaly enable ssh version 2 with the global config ip ssh version 2 command

6) on line vty: login local

 how to disable telnet?

7) on line vty: transport input ssh

What is this pls transport input telnet ssh? you mean telnet service will be overwrite by ssh

This means you can telnet  to your vty line and also  ssh to it  with the command in 7) you can only ssh to it

Concerning your ACL the deny any any at the end is useless unless you want to log but then you have to add the  log keyword at the end

why these 2 lines ?  

access-list 26 permit 192.168.2.0 0.0.0.63
access-list 26 permit 192.168.3.0 0.0.0.63

For me they are useless as they will never get hit because an ACL is parsed from top to bottom and once a match is done the parsing stops, the 2 first lines will get matched before.

where logs will be stored and how to check those logs?

What do you want to log ? the access with ssh to your router? all access or only failed ones?

The config given below your question is for the archive feature not for authentication logging.

You can log in many places but the best is a syslog server( a free one is tftpd32 for windows) and the command is simple:

logging x.x.x.x where x.x.x.x is the ip address or hostname( if you can resolve to ip) of your syslog server

But first verify logging is enabled with the show log command  and if not then enable it with the global config logging on command

then you can use the logging feature on your  final explicit deny with the log keyword or if you have got  a security IOS you can use this  global command: security  authentication failure rate xx log  which will block for 15 sec after xx attempts and log the attempts.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to cadet alain

‎05-03-2011 05:53 AM

Thanks Alain.

How to make that syslog server

is it window based or linux one?

kindly help how to link those log to syslog server

thanks

Much appreciated

Joseph

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-03-2011 06:07 AM

Hi Joseph,

Now my concern is logs on buffer of a router,am afraid it will consume a lot of memory and cause other problem,is'nt?
Yes, me to agree with you...but if nothing available then the only source is the router buffer to analyze the logs for any critical situations.

CiscoWorks and KiwiCat is an hardware or software ?if software how to conf it on window machine or linux?
I have CiscoWorks and I can teach you each and everything about it but it is license based and costly you need to buy it from CiscoWorks and untill you have a large network say 300-400 devices to manage no need this.
I would suggest you to use KiwiCat tools which is low cost and you can get trail version for 30 days.

See the below details for KiwiCat....

You can download this free tool and pay with this. You can just install it in any windows mechine.
http://kiwisyslog.com/kiwi-cattools-overview/


Please click on the correct answer if this answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-03-2011 06:35 AM

Joseph,

tftpd32  is a windows program.

As i said above  to send logs to this server just issue logging x.x.x.x where x.x.x.x is IP address of the machine hosting the syslog service.

I haven't tried on a linux box yet.


Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to cadet alain

‎05-04-2011 04:10 AM

thanks Alain,

Ok how to make tftpd32 on window xp,i mean how to install/configure it pls,and where logs are stored on that window xp pc,and how to check those logs

Joseph

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-04-2011 04:23 AM

Hi Joseph,

Follow the below link will help you.
http://www.hak5.org/forums/index.php?showtopic=13229

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card