Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
6
Replies

871W External Management

Go to solution
campbell.thompson
Level 1
Level 1

‎11-16-2009 01:21 PM

After much dabbling, I have my Cisco 871W working perfectly with ezvpn to a central ASA5505. Wireless is all good and the tunnel to the main office is reliable. Sorted!!

I have one last thing that I can't figure out. I want to manage the router from the main site through SSH or HTTPS and have tried all sorts on the firewall to get this sorted. The subnet that I will manage from will be 10.1.10.0/23 if that helps...

I've attached the config for reference.

Any pointers would be much appreciated so I can draw a line under the config and ship it out to the customer.

Thanks in advance...

Campbell Thompson

Labels:
16109-rtr11-confg
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to campbell.thompson

‎11-16-2009 02:10 PM

Not sure, I've seen ZBFW only cause problems but never do any good.

You have NAT, nobody can attack you from outside. At least that is my experience in 12 years on installing routers with NAT.

Please remember to rate useful posts with the scrollbox below.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎11-16-2009 01:49 PM

I would begin with:

interface FastEthernet4

no zone-member security out-zone

interface Vlan1

no ip tcp adjust-mss 1452

interface BVI1

no zone-member security in-zone

no ip tcp adjust-mss 1412

no ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp

You could remove more commands, I've indicated what jumps to the eye.

0 Helpful

Go to solution
campbell.thompson
Level 1
Level 1
In response to paolo bevilacqua

‎11-16-2009 02:04 PM

Okay, that works, but ideally, I'd like to make use of the zone based firewall. Which zone would I need to change and how?

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to campbell.thompson

‎11-16-2009 02:10 PM

Not sure, I've seen ZBFW only cause problems but never do any good.

You have NAT, nobody can attack you from outside. At least that is my experience in 12 years on installing routers with NAT.

Please remember to rate useful posts with the scrollbox below.

0 Helpful

Go to solution
campbell.thompson
Level 1
Level 1
In response to paolo bevilacqua

‎11-16-2009 04:16 PM

I really appreciate he help. I agree that I'm more than secure, especially as the 871 is sitting in the client's own firewalled network, so there's limited risk.

I know that Cisco claim that the ZBF is supposed to make things more logical an simpler! I'm not sure that I agree!!!

Thanks again for the help...

Campbell Thompson

http://www.etonbridge.com/

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to campbell.thompson

‎11-17-2009 05:30 AM

No problem, thank you for the nice rating and good luck!

0 Helpful

Go to solution
Petar Milanov
Level 1
Level 1

‎12-09-2009 06:12 AM

Hi  Campbell,

To manage your router through SSH or HTTPS, you have to define class-map for this to protocols and to attach it to  policy-map "ccp-permit".  Copy that lines below to your config:

!

class-map type inspect match-any ssh-https-class

match protocol ssh

match protocol https

class-map type inspect management-class

match class-map ssh-https-class

match access-group 10

!

access-list 10 permit 10.1.10.0 0.0.0.255

!

policy-map type inspect ccp-permit
class type inspect management-class

  inspect

!

Now you should have access to your remote router through ssh ot https

Best Regards,

Tihomir Yosifov

0 Helpful
Customers Also Viewed These Support Documents