01-10-2020 04:03 AM - edited 01-10-2020 04:06 AM
Hi All,
I have a handful of C887VA routers which are all connected to ADSL and being VPN tunnelled back to our ASA back at HQ.
If ever the VPN tunnel fails, I need to be able to SSH to the routers public IP address as a backup way in, so I want to be able to SSH from my internal network (10.11.0.0/16) and my HQ public IP address but deny all other SSH traffic so its nice and secure.
I have one router which will allow me to SSH from my internal network and my HQ public IP, however this also lets SSH sessions from any other public IP address to connect also, which I don't want.
This is the config from that router which I also need to allow all traffic going to Google and BT straight out to the internet instead of being sent back to the ASA at HQ.
Current configuration : 7997 bytes ! ! Last configuration change at 11:40:53 gmt Fri Jan 10 2020 by administrator ! version 15.7 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname rtr-test1 ! boot-start-marker boot config usbflash0:CVO-BOOT.CFG boot-end-marker ! ! logging buffered 51200 warnings no logging console enable secret 5 $1$Tf3T$0YlkIobS6O5pqJ6jisTZl1 ! aaa new-model ! ! aaa authentication login default local aaa authentication enable default enable aaa authorization exec default local ! ! ! ! ! aaa session-id common clock timezone gmt 0 0 clock summer-time gmt recurring ! crypto pki trustpoint TP-self-signed-10632463 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-10632463 revocation-check none rsakeypair TP-self-signed-10632463 ! ! crypto pki certificate chain TP-self-signed-1063246338 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31303633 32343633 3338301E 170D3139 31323139 31303535 31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30363332 34363333 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AC42 21506E9D 3915B615 8564F971 72405090 BC57FC2F 26F7A962 42DBB115 2963CA90 E44285BC 15B2C2A7 13F85348 A3388D72 42FF30BE 4A5EE9F5 C21BD6E0 FA613792 812378EF 06254D40 B4E6E978 188703BD 296B48FE 0535BFAD E84E3EAD F79F1D2F FE7EE109 A1072427 8E32564F 4748E466 F42B8D9E 07209CBF FDFF5505 91BD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 143929A7 496DE5B6 6CD7A3CB 6FEE9657 F2278CC9 8F301D06 03551D0E 04160414 3929A749 6DE5B66C D7A3CB6F EE9657F2 278CC98F 300D0609 2A864886 F70D0101 05050003 81810076 71CB9686 7AFCB286 quit ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip domain name mydomain.local ip name-server 10.11.210.3 ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license udi pid C887VA-K9 sn FCZ2344C21G ! ! object-group network BT-RANGES 62.7.201.160 255.255.255.224 62.7.201.128 255.255.255.224 213.120.60.128 255.255.255.224 213.120.60.192 255.255.255.224 213.120.76.0 255.255.255.224 213.120.76.32 255.255.255.224 213.120.76.64 255.255.255.224 147.152.35.96 255.255.255.248 147.152.35.104 255.255.255.248 213.120.60.160 255.255.255.224 213.120.60.224 255.255.255.224 host 193.113.10.33 host 193.113.11.35 host 193.113.10.34 host 193.113.11.36 host 193.113.10.10 host 193.113.11.10 host 193.113.10.27 host 193.113.11.27 host 193.113.10.11 host 193.113.11.11 host 193.113.10.7 host 193.113.11.7 host 193.113.10.8 host 193.113.11.8 host 193.113.10.12 host 193.113.11.12 host 193.113.10.13 host 193.113.11.13 host 193.113.10.32 host 193.113.11.34 ! object-group service BT-SERVICES tcp range 5060 5075 udp range 5060 5075 tcp eq 8933 udp eq 8933 udp range 32766 65535 tcp eq 123 udp eq ntp tcp eq 443 tcp eq 5222 tcp eq 1081 tcp eq 5281 tcp eq 5269 tcp eq 8443 tcp eq 2209 ! object-group network GOOGLERANGES host 8.8.8.8 64.18.0.0 255.255.240.0 64.233.160.0 255.255.224.0 173.194.0.0 255.255.0.0 207.126.144.0 255.255.240.0 209.85.128.0 255.255.128.0 216.58.32.0 255.255.224.0 216.58.192.0 255.255.224.0 216.58.208.0 255.255.240.0 66.102.0.0 255.255.240.0 66.249.80.0 255.255.240.0 72.14.192.0 255.255.192.0 74.125.0.0 255.255.0.0 ! object-group service GOOGLESERVICES tcp eq www tcp eq 443 tcp eq 5222 tcp range 19305 19309 udp range 19305 19309 tcp range 5228 5230 icmp udp eq 443 tcp eq 993 tcp eq 465 tcp eq smtp udp eq 80 ! object-group network MYDOMAIN-IPs host X.X.X.X host X.X.X.X ! username administrator privilege 15 secret 5 $1$T7 redundancy ! ! ! ! ! controller VDSL 0 ! ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key mykey address X.X.X.X ! ! crypto ipsec transform-set TS esp-aes esp-sha-hmac mode tunnel ! ! ! crypto map VPN-TO-HQ 10 ipsec-isakmp set peer X.X.X.X set transform-set TS match address VPN-TRAFFIC ! ! ! ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0 switchport access vlan 111 switchport mode trunk no ip address ! interface FastEthernet1 switchport access vlan 111 no ip address ! interface FastEthernet2 switchport access vlan 111 no ip address ! interface FastEthernet3 switchport mode trunk no ip address ! interface Vlan1 no ip address shutdown ! interface Vlan111 description branch VLAN ip address 10.11.111.254 255.255.255.0 ip helper-address 10.11.202.1 no ip proxy-arp ip nat inside ip virtual-reassembly in ! interface Dialer1 description Dialer interface for VDSL ip address negotiated ip access-group LOCKDOWN-IN in ip access-group LOCKDOWN-OUT out no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1400 dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname MYNAME@hg70.btclick.com ppp chap password 7 06361D71461D0A0D17 ppp ipcp address accept no cdp enable crypto map VPN-TO-HQ ! no ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source list NATINSIDE interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr ! ip access-list extended LOCKDOWN-IN permit udp any any eq bootps permit udp any any eq bootpc permit gre object-group MYDOMAIN-IPs any permit esp object-group MYDOMAIN-IPs any permit ahp object-group MYDOMAIN-IPs any permit ip object-group MYDOMAIN-IPs any permit object-group BT-SERVICES object-group BT-RANGES any permit ip object-group GOOGLERANGES any ip access-list extended LOCKDOWN-OUT permit udp any any eq bootps permit udp any any eq bootpc permit ahp any object-group MYDOMAIN-IPs permit esp any object-group MYDOMAIN-IPs permit gre any object-group MYDOMAIN-IPs permit ip any object-group MYDOMAIN-IPs permit object-group GOOGLESERVICES any object-group GOOGLERANGES permit object-group BT-SERVICES any object-group BT-RANGES ip access-list extended NATINSIDE permit ip 10.11.111.0 0.0.0.255 object-group GOOGLERANGES permit ip 10.11.111.0 0.0.0.255 object-group BT-RANGES ip access-list extended VPN-TRAFFIC permit ip 10.11.111.0 0.0.0.255 any ! ipv6 ioam timestamp ! snmp-server community MYRO-ro RO snmp-server location MYBRANCH snmp-server contact MYCOMPANY snmp-server chassis-id rtr-Test1 ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! vstack privilege exec level 2 show startup-config privilege exec level 2 show ! line con 0 exec-timeout 1440 0 privilege level 15 no modem enable line aux 0 line vty 0 4 transport input all ! no scheduler allocate ! ! ! ! ! ! end
So the other router I have, has no natinside rules on the VLAN and no Lockdowns on the Dialer but it allows access to SSH from my internal network, my HQ public IP and all other public IP's.
Current configuration : 3700 bytes ! version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname rtr-test2 ! boot-start-marker boot-end-marker ! ! no logging console ! aaa new-model ! ! aaa authentication login default local aaa authentication enable default enable aaa authorization exec default local ! ! ! ! ! aaa session-id common memory-size iomem 10 clock timezone gmt 0 0 clock summer-time gmt recurring crypto pki token default removal timeout 0 ! ! no ip source-route ! ! ! ! ! ip cef ip domain name MYDOMAIN.local ip name-server 10.11.1.217 no ipv6 cef ! ! license udi pid CISCO887VA-K9 sn FCZ153290P4 ! ! object-group network MYDOMAIN-IPs host X.X.X.X host X.X.X.X ! username administrator privilege 15 secret 5 $1$h4yC$.cGbr4Rn68MRPD ! ! ! ! controller VDSL 0 ! ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key mykey address X.X.X.X ! ! crypto ipsec transform-set TS esp-aes esp-sha-hmac ! crypto map VPN-TO-HQ 10 ipsec-isakmp set peer X.X.X.X set transform-set TS match address VPN-TRAFFIC ! ! ! ! ! interface Ethernet0 no ip address shutdown no fair-queue ! interface Ethernet0.101 encapsulation dot1Q 101 shutdown pppoe-client dial-pool-number 1 ! interface ATM0 description BT Infinity no ip address no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 switchport access vlan 103 ! interface FastEthernet1 switchport access vlan 103 ! interface FastEthernet2 switchport access vlan 103 ! interface FastEthernet3 description Site printer switchport access vlan 103 duplex full speed 100 spanning-tree portfast ! interface Vlan1 no ip address shutdown ! interface Vlan103 description Site data network ip address 10.11.103.254 255.255.255.0 ip helper-address 10.11.202.1 no ip proxy-arp ! interface Dialer1 description Dialer interface for VDSL ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery encapsulation ppp ip tcp adjust-mss 1300 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp chap hostname MYNAME@hg70.btclick.com ppp chap password 7 06310A2D4F41041C5 ppp pap sent-username MYNAME@hg70.btclick.com password 7 06310A2D4F41041C5 ppp ipcp address accept no cdp enable crypto map VPN-TO-HQ ! ip default-gateway 10.11.103.254 no ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip access-list extended LOCKDOWN-IN permit udp any any eq bootps permit gre object-group MYDOMAIN-IPs any permit esp object-group MYDOMAIN-IPs any permit ahp object-group MYDOMAIN-IPs any permit udp any any eq bootpc permit ip object-group MYDOMAIN-IPs any ip access-list extended LOCKDOWN-OUT permit udp any any eq bootps permit udp any any eq bootpc permit udp any object-group MYDOMAIN-IPs permit ahp any object-group MYDOMAIN-IPs permit esp any object-group MYDOMAIN-IPs permit gre any object-group MYDOMAIN-IPs permit ip any object-group MYDOMAIN-IPs ip access-list extended VPN-TRAFFIC permit ip 10.11.103.0 0.0.0.255 any ! logging esm config ! ! ! ! snmp-server community MYRO-ro RO snmp-server location MYSITE snmp-server contact MYCOMPANY snmp-server chassis-id ms-test2 ! ! control-plane ! ! line con 0 privilege level 15 no modem enable line aux 0 line vty 0 4 exec-timeout 1440 0 privilege level 15 transport input ssh ! end
So one clearly works but it totally open to the public to connect to and the other one is too locked down.
Can anyone make any suggestions?
Thanks in advance!
01-11-2020 06:28 PM
Re: not allowing the whole world to SSH
Well the first one, the one you have set up to receive SSH, is set for local username administrator with a very short password. If you're going to be having access via Internet that needs to change, "administrator" is one of the first a bad actor will try and a short password is breakable.
Is there anything set up to do central user authentication such as RADIUS or TACACS+? Because then you can set up to allow SSH authentication via that method, then bad actors need to know both the username and a password, and it's easier to remember to change that password regularly than trying to remember "which device uses the new password and which device uses the old password?"
If you know you'll be attempting to connect from a specific IP or possible range of IP you can also set an ACL to permit connection from them and block others. (if you do that don't forget to apply that to the external interface so you don't block internal traffic). However, if you're potentially connecting from your home, most home addresses are DHCP by your ISP and subject to change.
Re: allow all traffic going to Google and BT to Internet not VPN via ASA
You probably want split tunnelling instead of router on a stick.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide