Router Access from Outside via Telnet

[Barnacle]

I have a router that I can telnet into from inside the network. I need to make it so the ISP can telnet into it from the outside world. They actually need to get into 3 routers on our network.

I tried to apply an extended access-list to the external interface, but when I did the internet connection went down!

IOS 12.0
Internet is on s0.1
Internet Router address is 192.168.10.1
External ip is 209.240.82.199

Thank you!

 

[Frenchie2069]

You are better off using access-class on the vty line:

access-list 10 permit host x.x.x.x
access-list 10 permit host y.y.y.y
access-list 10 permit 192.168.10.0 0.0.0.255
line vty 0 15
access-class 10 in

This will allow only hosts x.x.x.x and y.y.y.y plus the local network (192.168.10.0/24) to telnet to your router. This does not filter any inbound traffic.

You really should consider putting an internet acl in place, your installation is not secure without it (especiially now that you have advertised your external IP address to the world).

HTH,
Michael.

 

[Barnacle]

I'm doing this remotely through a Terminal Services session. Will I get disconnected if I enter it as you specified?

The router has telnet setup for internall access as vty 0 4. Would it mess it up to add vty 0 15?

I used a "fake" ip. I'm a newbie, but not that new of a newbie... :>

 

[Frenchie2069]

Just wanted to make sure you knew about the potential of being hacked when putting the real IP Address on a board like this You never know who might be watching...

Some versions of the IOS support 15 concurrent VTY (telnet) connections. If your config currently has line vty 0 4 then it is best to use that rather than the one that I suggested.

As long as the IP Address of the device that you are connecting from is allowed in the access-list then you should not be disconnected. It is important that all of the addresses that you will connect from are in the list otherwise you will not be able to telnet to the router. The last line of the acl that I suggested will allow all hosts that start with 192.168.10. You might want to restrict this more or add more networks/hosts.

HTH,
Michael.

 

[Barnacle]

It worked great and I didn't even get disconnected!

Thank you Michael!!!

 

[Board4aLiving]

I am having the same problem

here is the config

!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname RUSSO
!
logging buffered 51200 warnings
enable secret 5 onlyIknow
enable password onlyIknow
!
username onlyIknow privilege 15 password 0 onlyIknow
no aaa new-model
ip subnet-zero
no ip source-route
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key onlyIknow address 68.45.187.152
!
!
crypto ipsec transform-set bailiwickTranSet esp-3des esp-md5-hmac
!
crypto map bailiwickIPSEC 1 ipsec-isakmp
description Bailiwick IPSEC
set peer 68.45.187.152
set security-association lifetime kilobytes 8000
set transform-set bailiwickTranSet
set pfs group1
match address 102
crypto map bailiwickIPSEC 859 ipsec-isakmp
description Bailiwick IPSEC
set peer 68.45.187.152
set security-association lifetime kilobytes 8000
set transform-set bailiwickTranSet
set pfs group1
match address 102
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip rip send version 2
ip rip receive version 2
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet1
description $ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip rip send version 2
ip rip receive version 2
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username password 0
crypto map bailiwickIPSEC
!
router rip
version 2
network 141.0.0.0
network 151.0.0.0
network 192.168.1.0
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 10 permit 0.0.0.0
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp any eq telnet any eq telnet
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 68.45.187.152 any eq non500-isakmp
access-list 101 permit udp host 68.45.187.152 any eq isakmp
access-list 101 permit esp host 68.45.187.152 any
access-list 101 permit ahp host 68.45.187.152 any
access-list 101 permit tcp any eq telnet any eq telnet
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 0.0.0.0 0.255.255.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
access-class 10 in
privilege level 15
password onlyIknow
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end

Anyone have any hints


Board4aLiving

 

[nyy1023]

board4aliving

That is one heck of a config?
VPN I see and that is typically the problem child of the config because of all the little tiny details.

I guess I missed the question because of being sucked in by the config?

I have not seen one this detailed in a long time!
I hope that I can help?