10-23-2017 01:58 PM - edited 03-12-2019 04:39 AM
Hello,
I have a Cisco 2851 router
- Configured SSH for an alternate port but it does not work inbound from the "world"
- I can connect SSH internally using SecureCRT from inside my network
- I also have other services that I cannot get to from the outside
- And if I can throw this in I am trying to BLOCK....SNMP and NTP inbound
- When I scan the Router external IP it shows SNMP...and NTP as "open"
I did a lot of research before posting here but i just cannot figure it out
Here is my entire config file (attached)
I am no Cisco expert but I have learned a lot......
Please feel free to make any suggestions or changes to my config file you may have
I would be very grateful...thank you
10-23-2017 02:33 PM - edited 10-23-2017 02:43 PM
David,
Presumably, based on the contents of the DenyStdSSH ACL, you want to access your router via SSH on port 8500. If you will access this port from the outside interface, the first thing that I notice is that your standard ACL 101 does not permit it. Assuming you will be using the outside IP address, then nothing else is needed.
You should also think about using a loopback address on your router for management. With your nat configuration, you will also need a static port mapping to make that work from the outside.
Edit: I think your ACL 101 needs a complete rework, actually. For example, you have this line:
access-list 101 permit tcp any eq www any log
I presume that you intend to allow users within your network access to the Internet, but this line actually lets the Internet access a web server within your network (except that the NAT configuration doesn't allow it). Are you hosting a web site?
10-23-2017 02:57 PM - edited 10-23-2017 03:44 PM
Thanks for the reply
I have added this ACL
access-list 101 remark --- SSH 8500 ---
access-list 101 permit tcp any any eq 8500 log
I do not know anything about a loopback address for management
10-23-2017 04:00 PM
thanks for the reply
the only reason i have:
access-list 101 permit tcp any eq www any log
Because my ROUTER needs to have WWW so my DynDNS will register ...only the ROUTER
I just am not sure how to restrict it to the ROUTER only
I also only need DNS to answer on the ROUTER only.for the ip name-server
(I am not sure how to restrict it to the ROUTER only
I don't need DNS on the INTERNAL network because I use DNSCrypt which uses port 443
I know my config file is kind of messy I am still learning....if you have any suggestions.....
10-23-2017 04:01 PM
thanks for the reply
the only reason i have:
access-list 101 permit tcp any eq WWW any log
Because my ROUTER needs to have WWW so my DynDNS will register ...only the ROUTER
I just am not sure how to restrict it to the ROUTER only
I also only need DNS to answer on the ROUTER only.for the ip name-server
(I am not sure how to restrict it to the ROUTER only
I don't need DNS on the INTERNAL network because I use DNSCrypt which uses port 443
I know my config file is kind of messy I am still learning....if you have any suggestions.....
10-23-2017 02:38 PM
Hello @DAVID RICHWALSKI
- Configured SSH for an alternate port but it does not work inbound from the "world"
I saw you have an access-class DenyStdSSH on your VTY line but I didn´t see any ACL with this name.
You should have this command on VTY:
ip ssh port "portnum" rotary "group"
- I can connect SSH internally using SecureCRT from inside my network
OK
- I also have other services that I cannot get to from the outside
Which one?
- And if I can throw this in I am trying to BLOCK....SNMP and NTP inbound
Use Context-Based Access Control (CBAC), normal ACL probably will fail.
- When I scan the Router external IP it shows SNMP...and NTP as "open"
If you are not using it, disable it. If you are using it for SNMP and NTP you can use a highly complex SNMP Community for security and NTP allows to specify to who to speak. You can specify the source for NTP to sync.
-If I helped you somehow, please, rate it as useful.-
10-23-2017 03:52 PM
thanks for the reply
I have the following on my outside interface:
ntp disable
and I have SNMP configured with a very strong string
I would like to set it so only my computer can access it
10-24-2017 09:16 PM
I want to thank you all for your help I did manage to get my SSH working on the alternate port
I also "trimmed" some things out of my config file, but I am sure a lot more could be done to make it better..I will continue to take your suggestions and do a lot more reading
Plus some trial & error
If anyone can suggest any material that may help me out i would be grateful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide