cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
932
Views
15
Helpful
6
Replies

filtering ip from accessing router 2911 for remote management

Hi

i have router 2911

pub ip: 121.97.65.61-74

interface gigabitethernet 0/1

ip address 121.97.65.61/28

no ip proxy-arp

no ip redirects

ip virtual-reassembly

duplex full

speed 1000

____________

firewall ip:

ip: 121.97.65.62

sm: 255.255.255.240

d-gateway or static ip route: 121.97.65.61

____________

i need to remote my router intenede only no this ip range:

121.97.65.61 - .74/28

and other ip will drop/kick/disconnected automatically

how to implement this on access list

anyone can solve and be part of my network setup

your help highly appreciated

2 Accepted Solutions

Accepted Solutions

Kai Onken
Level 1
Level 1

Hello,

If I've understood you correct, you want ony remote access to router for the IP Range 121.97.65.61 to 121.97.65.74, right?

So try this

ip access-list standard VTY

  remark "Remote access"

  101 permit 121.97.65.61

  102 permit 121.97.65.62

  103 permit 121.97.65.63

  104 permit 121.97.65.64

  105 permit 121.97.65.65

  106 permit 121.97.65.66

  107 permit 121.97.65.67

  108 permit 121.97.65.68

  109 permit 121.97.65.69

  110 permit 121.97.65.70

  111 permit 121.97.65.71

  112 permit 121.97.65.72

  113 permit 121.97.65.73

  114 permit 121.97.65.74

exit

line vty 0 15

  access-class VTY in

exit

The problem is, that .61 /28 is no default IP network and because of this, you have to use single IP Addresses.

Kind regards

Kai

View solution in original post

Hello,

Pasting a VPN configuration could be a little bit difficult. Because, I don't know which IOS, VPN Client, Client Platform, etc. you use.

Once I worte a VPN Setup for Apple iPhone and iPad usage, maybe this will help you a little.

https://supportforums.cisco.com/message/3835229#3835229

Kind regards

Kai

View solution in original post

6 Replies 6

Kai Onken
Level 1
Level 1

Hello,

If I've understood you correct, you want ony remote access to router for the IP Range 121.97.65.61 to 121.97.65.74, right?

So try this

ip access-list standard VTY

  remark "Remote access"

  101 permit 121.97.65.61

  102 permit 121.97.65.62

  103 permit 121.97.65.63

  104 permit 121.97.65.64

  105 permit 121.97.65.65

  106 permit 121.97.65.66

  107 permit 121.97.65.67

  108 permit 121.97.65.68

  109 permit 121.97.65.69

  110 permit 121.97.65.70

  111 permit 121.97.65.71

  112 permit 121.97.65.72

  113 permit 121.97.65.73

  114 permit 121.97.65.74

exit

line vty 0 15

  access-class VTY in

exit

The problem is, that .61 /28 is no default IP network and because of this, you have to use single IP Addresses.

Kind regards

Kai

Hi Kai

your config doing fine however another problem occurs

inside of the network i can access via remote

but

outside office, home, internet cafe/shop, my friends house, i can't access my router.. why?

by the way

here's ISP ip range gave:

wan ip: 125.212.12.252

isp side: 125.212.12.253

client side: 125.212.12.254

sub mask: 255.255.255.252

public ip: 121.97.65.61 - .74 / 28

on my router:

all offices access with the ip route overload: 125.212.12.253

all server acess with the ip route overload statement above: ip nat inside source-list SERVERS interface gigabitethernet 0/1 overload

with the ip route with this:

ip route 0.0.0.0 0.0.0.0 125.212.12.253

ip nat inside source-list SERVERS interface gigabitethernet 0/1 overload

ip nat inside source-list OFFICES interface gigabitethernet 0/0 overload

_________

router:

interface gigabitethernet 0/0

ip address 125.212.12.254 255.255.255.252

no ip redirects

no ip proxy-arp

ip virtual reassembly

no cdp enable

duplex full

speed auto


Hello,

the configuration I posted, does anythig you requested. If you want to access the router via the WAN interface, I've to know serveral things and I also have to ask some questions.

1. Is the IP Address, which you receive a static one or dynamic?

         If yes, you'll have an quiet simple way.

         If no, you have to configure something like DynDNS, so that you can reach the WAN Interface from everywhere

2. Does your places outside the office, e.g home, internet cafe/shop, my friends house, have static IP Addresses?

         If yes, you can add them to the access list

         If no, you have a problem, because then you have allways to replace the 'old' IP Address with the 'new' on

         A possible soluttion could be the setup of a VPN Server at you router. But than you would have another problem:

                1. You need a static IP Address or e.g. a DynDNS entry

                2. Than you have only to add the VPN network to your access list.

                3. You would be able to install a VPN Client at you home computer, your friends computer but I think you would't be allowed to install a VPN Client on an Internet shops computer.

Kind regards

Kai

1. Is the IP Address, which you receive a static one or dynamic?

-> yes, static written above ISP gave that

2. Does your places outside the office, e.g home, internet cafe/shop, my friends house, have static IP Addresses?

-> yes, static . 124.45.65.201/24

A possible soluttion could be the setup of a VPN Server at you router. But than you would have another problem:

1. i have static if you want a vpn setup on a router, but for me know how?

2. how to add, i even dont know how to create one.

3. installing vpn client is not a problem, i have on my own gear and i bring this where i am

and if you give me 1 shot on creating vpn server on my router 2911, and some other config ,

Hello,

Pasting a VPN configuration could be a little bit difficult. Because, I don't know which IOS, VPN Client, Client Platform, etc. you use.

Once I worte a VPN Setup for Apple iPhone and iPad usage, maybe this will help you a little.

https://supportforums.cisco.com/message/3835229#3835229

Kind regards

Kai

Hi Kai,

very helpful link from you

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: