Solved: Re: access list issue and ip route - Page 2

malai.joseph · ‎05-02-2011

Hi

Have cisco router 1921 and 3 cisco switch 3560G

i want to configure the cisco router so as network 192.168.4.0/26,192.168.3.0/26,192.168.2.0/26, all to access internet

R1921(config)# ip nat inside source list 102 int G0/0 overload
R1921(config)# access-list 102 permit ip ?

I am i right to do this below?

R1921(config)# ip route 192.168.4.0/26 10.10.10.2
R1921(config)# ip route 192.168.3.0/26 10.10.10.2
R1921(config)# ip route 192.168.2.0/26 10.10.10.2

kindly assist on access-list and ip route?

thanks all

Jo

cadet alain · ‎05-03-2011

Hi Joseph,

i dont know if it support ssh?

You need a crypto image to support ssh but you can also verify by doing this command: ip ssh ver in global config and if you want to know if a feature is supported by your IOS/architecture just go on Cisco feature navigator site : http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

If your router supports ssh, in order to use it you must:

1) give a hostname to your router with the global config hostname command

2) configure a domain name with the global config ip domain-name command

3) configure a local user with the global config username xxx privilege xx secret xxx command

how to insert username and password for ssh on router?

The 3rd action answers this question

4) generate a rsa key with the global config crypto key generate rsa modulus 1024 command

5) optionaly enable ssh version 2 with the global config ip ssh version 2 command

6) on line vty: login local

how to disable telnet?

7) on line vty: transport input ssh

What is this pls transport input telnet ssh? you mean telnet service will be overwrite by ssh

This means you can telnet to your vty line and also ssh to it with the command in 7) you can only ssh to it

Concerning your ACL the deny any any at the end is useless unless you want to log but then you have to add the log keyword at the end

why these 2 lines ?

access-list 26 permit 192.168.2.0 0.0.0.63
access-list 26 permit 192.168.3.0 0.0.0.63

For me they are useless as they will never get hit because an ACL is parsed from top to bottom and once a match is done the parsing stops, the 2 first lines will get matched before.

where logs will be stored and how to check those logs?

What do you want to log ? the access with ssh to your router? all access or only failed ones?

The config given below your question is for the archive feature not for authentication logging.

You can log in many places but the best is a syslog server( a free one is tftpd32 for windows) and the command is simple:

logging x.x.x.x where x.x.x.x is the ip address or hostname( if you can resolve to ip) of your syslog server

But first verify logging is enabled with the show log command and if not then enable it with the global config logging on command

then you can use the logging feature on your final explicit deny with the log keyword or if you have got a security IOS you can use this global command: security authentication failure rate xx log which will block for 15 sec after xx attempts and log the attempts.

Regards.

Alain.

Don't forget to rate helpful posts.

malai.joseph · ‎05-03-2011

Thanks Alain.

How to make that syslog server

is it window based or linux one?

kindly help how to link those log to syslog server

thanks

Much appreciated

Joseph

Latchum Naidu · ‎05-03-2011

Hi Joseph,

Now my concern is logs on buffer of a router,am afraid it will consume a lot of memory and cause other problem,is'nt?
Yes, me to agree with you...but if nothing available then the only source is the router buffer to analyze the logs for any critical situations.

CiscoWorks and KiwiCat is an hardware or software ?if software how to conf it on window machine or linux?
I have CiscoWorks and I can teach you each and everything about it but it is license based and costly you need to buy it from CiscoWorks and untill you have a large network say 300-400 devices to manage no need this.
I would suggest you to use KiwiCat tools which is low cost and you can get trail version for 30 days.

See the below details for KiwiCat....

You can download this free tool and pay with this. You can just install it in any windows mechine.
http://kiwisyslog.com/kiwi-cattools-overview/

Please click on the correct answer if this answered your question.
Regards,
Naidu.

cadet alain · ‎05-03-2011

Joseph,

tftpd32 is a windows program.

As i said above to send logs to this server just issue logging x.x.x.x where x.x.x.x is IP address of the machine hosting the syslog service.

I haven't tried on a linux box yet.

Regards.

Alain.

Don't forget to rate helpful posts.

malai.joseph · ‎05-04-2011

thanks Alain,

Ok how to make tftpd32 on window xp,i mean how to install/configure it pls,and where logs are stored on that window xp pc,and how to check those logs

Joseph

Latchum Naidu · ‎05-04-2011

Hi Joseph,

Follow the below link will help you.
http://www.hak5.org/forums/index.php?showtopic=13229

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.