Several SDM questions...

Unanswered Question
Feb 3rd, 2007

I tried updating SDM to the latest release, but failed doing so:

On the router's SDM Express interface I downloaded the update from cisco.com's website to my notebook (Win XP). Then started the installer.

After first failure, it advised me to follow some steps (active http/https server of the router, add user with level 15, configure ssh/telnet for level 15).

I did so and installation seems to work till the installer stated "Copy files to router". Then installation stopped with an error ("file transfer to router not possible" or similar).

Now when I call my router's WAN-IP, I don't get the SDM Express frontend anylonger, but some kind of "HTML terminal". Anyway, the router still seems to work fine.

So my questions are as following:

1. How can I get back SDM Express without destroying the router's configuration ?

2. When done, how do I properly update the SDM version ?

This is how my configuration looks like (show running-conf)

Building configuration...

Current configuration : 2321 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname adsl-gw

!

boot-start-marker

boot-end-marker

!

logging buffered 10000 debugging

enable secret 5 ####################

!

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

!

ip cef

ip ips po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

isdn switch-type basic-net3

!

!

username ##### privilege 15 password 7 #######

!

!

no crypto isakmp ccm

!

!

!

interface BRI0

no ip address

shutdown

isdn switch-type basic-net3

!

interface FastEthernet0

description zum DSL modem

no ip address

speed auto

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Vlan1

description LAN

ip address 194.x.100.x.255.255.248

!

interface Dialer1

description T-DSL dialer

ip address negotiated

ip access-group 102 in

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp chap refuse

ppp pap sent-username ###### password 7 #######

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 9

ip http authentication local

ip http secure-server

!

!

!

access-list 9 permit 194.77.100.88 0.0.0.7

access-list 101 permit ip any any

access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 3283

access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq 3283

access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 5900

access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq 5900

access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq 22

access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 22

access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 23

access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq telnet

access-list 102 permit ip any any

dialer-list 1 protocol ip list 101

!

!

control-plane

!

!

line con 0

password 7 ###########

login

line aux 0

line vty 0 4

privilege level 15

password 7 ############

login local

transport input telnet

!

end

(User names and passwords have been replaced with #####)

I really look forward your kind assistance :-)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
stephen.stack Sun, 02/04/2007 - 01:07

Hi,

There are a number of ways you could do this. I will give you two.

Firstly and the more simple of the two. When running the sdm setup. Install SDM on your hard drive only i.e. select the first option 'this computer'. This will allow you to run SDM without having to take up space on your routers flash.

The alternative is to login into your router and delete all the SDM files on flash and reinstall the new SDM files.

1. login into router exec mode.

2. 'show flash' to display files

3. delete all sdm files (do not delete system image) i.e.

SDM file home.html

SDM file SDM.tar

SDM file IPS.tar

IOS image c1841-advipservicesk9-mz.124-6.T.bin

4. use 'delete flash:sdm.tar' to delete files individually. when asked do you want to delete all files on flash - say NO. answer the question slowley.

5. upload new files to flash using SDM installer.

Everything should work just fine now. :)

Cheers

Stephen

tobiaseichner Sun, 02/04/2007 - 05:04

Hello, thank you for assisting :-)

> Firstly and the more simple of the two. When running the

> sdm setup. Install SDM on your hard drive only i.e. select

> the first option 'this computer'. This will allow you to run

> SDM without having to take up space on your routers flash.

I did so, but when I start the software, it asks me for the IP of the router (use the WAN-IP, since the router isn't in my LAN) and then nothing happens. It appears the message that SDM will open in another window, but even after five minutes... silence. I disabled the pop-up blocker and even the firewall of my local PC.

However there is a firewall in my local LAN router... maybe this blocks the ports necessary for SDM to communicate... do you know which ports I must open ?

Anyway, since I usually work from a Mac and there is no OS X SDM version, I would like to have it on the router (as it was before, not sure what my error was).

Regarding your suggested alternative way... I'm quite new to this router, so let's ask some dummy questions:

> 1. login into router exec mode.

Log in via telnet and how to get into the exec mode ? Or am I already in (prompt says "adsl-gw#" - what does this mean ?).

2. 'show flash' to display files

This works directly after logging in and shows:

System flash directory:

File Length Name/status

1 13291556 c1700-k9o3sy7-mz.123-11.T8.bin

2 2118 sdmconfig-1711-1712.cfg [deleted]

3 812032 es.tar [deleted]

4 1007616 common.tar [deleted]

5 1038 home.shtml [deleted]

6 113152 home.tar [deleted]

7 234040 attack-drop.sdf

[15462004 bytes used, 17830280 available, 33292284 total]

32768K bytes of processor board System flash (Read/Write)

See the (deleted) notes... anything serious ?

3. delete all sdm files (do not delete system image) i.e.

SDM file home.html

SDM file SDM.tar

SDM file IPS.tar

IOS image c1841-advipservicesk9-mz.124-6.T.bin

I can't see these files... which of the files I have should I delete ?

> 4. use 'delete flash:sdm.tar' to delete files individually.

Okay, one point I understood :-)

5. upload new files to flash using SDM installer.

From the PC again ? Since this failed the first time, have you an idea what went wrong ?

Again, I really appreciate your help :-)

stephen.stack Sun, 02/04/2007 - 05:49

Hi,

This is all very positive. Just a little learning curve for you. :)

Lets take the points inline.

1. Using SDM over the internet would not be the wisest option. Security etc... you need to answer some questions to enable this to work if you want to do it this way.

1. your own (local) firewall will not interfere with the use of SDM accross the internet.

2. what is 194.77.100.88 belonging to?

3. what is the Public IP address of this router?

4. What is the public IP address range of the router on your own site?

The reason I should have the IP's is that you should (for securitys sake) configure the router to only accept incoming SDM traffic from your public IP address. This will stop any unwanted attcks from the internet. You mail mail them to me offline if you wish. [email protected]

Given your mac OSx point... the following applies to getting it on the router only. you may disregard the above commenst based on the setup below if you wish. :)

1. the prompt adsl-gw# is exec mode. (spot on)

2. the [deleted] after filenames in flash means that they are marked for deletetion. You need to carry out one more command before flash memeory is released. This is 'squeeze flash'. this may take a few minutes.

disregard point 3.

''''3. delete all sdm files (do not delete system image) i.e.

SDM file home.html

SDM file SDM.tar

SDM file IPS.tar

IOS image c1841-advipservicesk9-mz.124-6.T.bin ''''

The correct files will be deleted once flash is squeezed.

Ideally you need to transfer the SDM files using TFTP. i'm not sure how the SDM installer will deal with uploading files to the router over the internet. Unless you have access to the router as described above.

bear with me on this and we will get it working for you. This is a great way to learn the nuances of working with Cisco equipment.

Regards

Stephen

HTH... Please rate posts

tobiaseichner Sun, 02/04/2007 - 06:15

Hi.

> 1. your own (local) firewall will not interfere with the use of

> SDM accross the internet.

At least I was able to work with SDM before my update try; therefore there may no problems (except the update which ended at the stage of copying files to the router).

2. what is 194.77.100.88 belonging to?

As I got told from our ISP, this IP is the net IP... whatever this means.

> 3. what is the Public IP address of this router?

194.*.100.89

> 4. What is the public IP address range of the router on

> your own site?

From 194.*.100.88 to 194.*.100.95

First IP is the net IP, the last is the broadcast IP. As told by our ISP.

> The reason I should have the IP's is that you should (for

>securitys sake) configure the router to only accept ...

> You mail mail them to me offline if you wish.

I already posted the config here, so it doesn't matter... anyway, I keep my password and username a secret :-)

> 2. the [deleted] after filenames in flash means that they

> are marked for deletetion. You need to carry out one

> more command before flash memeory is released. This is

> 'squeeze flash'. this may take a few minutes.

> Ideally you need to transfer the SDM files using TFTP. i'm

> not sure how the SDM installer will deal with uploading

> files to the router over the internet. Unless you have

> access to the router as described above.

TFTP... okay, may need to look for a client for my Windows.

If the installer tries TFTP, maybe this is blocked by my firewall... so I will give it a try with a forwarded port 69 for TFTP.

> bear with me on this and we will get it working for you.

> This is a great way to learn the nuances of working with

> Cisco equipment.

Thank you :-) Anyway, I must confess that I'm not happy with this router. It was a forced purchase by our ISP (no Cisco, no contract), I wished I had one that I could manage more easier... but with your assistance hopefully anything will finally work :-)

By the way, according my understanding I can use SDM Express for entirely managing the router and get rid off the terminal command line ? Have I understood this correctly so far ?

> HTH... Please rate posts

Done :-)

tobiaseichner Mon, 02/05/2007 - 13:10

Hi,

okay, after "squeezing" the flash memory, I was able to install SDM 2.2 from my install CD... after doing so, I tried to update SDM to latest version 2.3.4 via the SDM interface.

The installer loaded, started, connected to the router, checked memory and then stopped with the error "Uploading failed".

After clearing flash again, installing SDM 2.2 was successful. Not sure what the reason is why newer versions fail.

So unless it is necessary for security reasons I don't do further update attempts. My software status is: IOS 12.3(11)T8 and SDM 2.2. Do you know any security problems ? Anyway, I don't know how to update the operating system IOS, but can imagine that this is a quite complex task that has to work successfully at first try.

May I ask you some further questions ?

(1)

My flash memory currently contains these files:

System flash directory:

File Length Name/status

1 13291556 c1700-k9o3sy7-mz.123-11.T8.bin

2 1038 home.shtml

3 2118 sdmconfig-1711-1712.cfg

4 113152 home.tar

5 234040 attack-drop.sdf

6 1007616 common.tar

7 4052480 sdm.tar

8 812032 es.tar

[19514548 bytes used, 13777736 available, 33292284 total]

32768K bytes of processor board System flash (Read/Write)

What does attack-drop.sdf refer to ? While I can all other files assign to SDM or IOS, I'm unsure about this one.

(2)

I performed a "Security Audit" over SDM and followed all recommendations (luckily the router still works ;-) except enabling the firewall.

So I'm simply unsure about what the firewall wizard asks regarding outside and inside interfaces. I have two: "dialer1 (FastEthernet0)" and "vlan1". According my understanding I would simply say that "vlan1" is the inside interface and the other the outside.

However the wizard also warns not to choose the interface that is used for connecting to SDM as "outside". And while I access SDM over the WAN IP, I guess that the firewall is not a choice for me, is ?

What additional functionality would the firewall provide to me ?

(3.1.)

Currently I have a ACL like this:

"access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 23"

is it possible to write this also as

"access-list 102 deny udp any any eq 23" ?

According my understanding it would be the same - blocking udp traffic from any outside source to any inside (after the router) source. Or am I wrong ?

(3.2.)

There is one ACL

"access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq telnet"

but shouldn't this be written as

"access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq 23" ?

By the way, this is another one blocking telnet connections from the Internet within my LAN: "access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 23" (this just for information).

...More follows...

tobiaseichner Mon, 02/05/2007 - 13:12

(4)

It seems that I cannot control all aspects of the router via SDM... for example I miss the ability to alter the username and password of my ISP account.

While I see the interface "FastEthernet0" and can access it, there is no way to alter these settings. And there is no interface "Dialer1" available at the interface list.

interface Dialer1

description T-DSL dialer$FW_OUTSIDE$

ip address negotiated

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip ips sdm_ips_rule in

ip ips sdm_ips_rule out

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp chap refuse

ppp pap sent-username ### password 7 ###

!

Do you have some advise how to make this editable in SDM ? I have attached two screenshots that are showing the interfaces I have on the router (should not be something security sensitive, I hope).

Which other aspects of the router cannot be handled by the SDM interface ?

(5)

And finally something fundamental that appears still being some "magic" to me I want to understand:

How does our ISP assign us the range of static IP addresses ? As I first spoke with them, they urged me to buy the Cisco router because only this can manage the way they assign IPs (not sure, something like non-ISO standard).

However now since I have some more time to dive in this topic, I see nothing special with this router and its configuration. So it seems that the ISP itself assigns the IP to us (in which way ?).

Since we are not really satisfied with our ISP I would very likely take "our" IPs to an other ISP... but know that the IPs are only "owned" by us as long as we have a contract with this ISP. Not sure which possibilities we have to take these IPs with us, if overall.

Anyway, this may be something to work out later more closer, but for now it would be a great help for me to know how the ISP directs traffic to our IPs to us (to our DSL line).

Okay, that was the last issue for now...

Thank you that I can ask you all these stupid questions :-)

Attachment: 
stephen.stack Thu, 02/15/2007 - 00:25

Hi

I'm sorry, i was not ignoring you :)

My RSS reader was hitting this website too many times and Cisco firewalls decided enough was enough and bloked my public IP. Anyway i'm back now :)

I can't read you posts at this minute, but i will read them this evening and answer.

Thanks

Stephen

tobiaseichner Thu, 02/15/2007 - 06:05

Thank you; I'll look at the doc file shortly.

May I "abuse" your assistance a bit and ask you to also give me some advise here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Small%20and%20Medium%20Business&topic=Technologies%20for%20Small%20and%20Medium%20Businesses&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1ddd9046

For any reason, I can't get into "enable" mode any longer.

tobiaseichner Fri, 02/16/2007 - 15:31

Thank you for answering all my questions :-) I simply need to ask them, since I can't find any documentation for this router neither on cisco.com nor on other websites (the package only included a basic setup guide that was of no help).

Maybe Cisco assumes that everybody buying one of their products has the knowledge already or are willing to spend an additional amount for a training course.

(attack-drop.sdf)

Okay. In the meantime I enabled IPS and used the rules/definitions stored in this file.

I guess that the updates of the sdf-files are not free of charge (I read that there is an account necessary and according my experience with the cisco.com site, this means no access unless paid) ?

On the "Home" view of SDM, there is the total number of active signatures stated. Currently 81. "Currently" because I could swear that there were originally 132.

Does the amount of active signatures change from time to time ? I can't imagine that there is something like an automatic update. Anyway, I'll keep a closer look at this.

(Enabling firewall)

See screen01.tiff - would these settings work (allow all IPs of ours (194.77.100.88 to 194.77.100.95) ?

When I try to save them, I get a warning message that states that there is a firewall applied to the selected management interface.

Sorry for double-confirming everything, but it would be the worst case when I lock out myself from the router...

(ACL)

Okay, now this is the most interesting topic to me.

Let me state what I want to manage with these ACLs:

* Ports 3283 and 5900 are used by Apple Remote Desktop I work with to manage the servers. To add a bit more security, I want allow only traffic on these ports from/to our own IP address range.

* Prevent people to access our servers via SSH, sftp, tftp or telnet services. Access should be allowed only within our IP address range (e.g. to allow me to use SSH to our servers).

sftp and tftp are already disabled on each of our server's firewall; anyway if possible, I want them being caught directly on the router level.

The ACLs have been created with the assistance of our ISP... this was one of my first tasks months ago, so I can't remember exactly how they explained the ACLs to me.

So you would recommend me removing the ACL "dest:23/UDP" (screen02.tiff, marked line) since it does nothing useful ? However I checked this against my server's firewall and there telnet is at port 23 TCP _and_ UDP.

Anyway, when keeping it, I guess it does not hurt when blocking both protocols for a port ? Or can they be other conflicts at a later time ?

I have created two additional ACLs that are intended to block tftp and sftp access. According my information, tftp is at port 69/UDP and sftp is at port 115/TCP. See screen03.tiff (I have marked the two added ACLs). Have I done so correctly ?

...I split this message into two parts because of the message length limitation...

Attachment: 
tobiaseichner Fri, 02/16/2007 - 15:31

(IP addresses)

Here I got different information... as far as I know it _was_ formerly possible to own IP addresses. But I also be aware that this changed.

See http://www.ripe.net/ripe/docs/ipv4-policies.html#assignment-type (status "ASSIGNED PI").

While it would be understandable that the ISP not likely wants to give away its IP addresses, is there a way to "buy" IPs like registering domains from an official source ?

So far I was noted that only RIPE assigns address space but only in relatively large blocks of at least 2048 ("The RIPE NCC?s minimum allocation size is /21."). Definitively too much ;-)

Thank you for explaining how IPs are assigned technically. But I'm not sure if I understood it:

* IP addresses are registered at RIPE (or ARIN, AfriNIC, etc.) for a specific organization (e.g. our ISP).

* The ISP has assigned internally (on their own routers) these IPs to specific customers, like us.

Is this correct ?

Regarding the Cisco router, I guess that Interoute (our ISP) just wanted to earn some extra money. However after first talking with them, they referred that this router is "technically required". Not sure if this was done because of own ignorance or it just was a lie urging us to buy it.

Anyway, we own it and as more as I understand this dark-grey box, I like it. Even we probably may never use all features it provides...

(SDM installation)

May it possible that the SDM 2.x update is simply too large for the flash memory ? Total flash capacity is 32 MB with available 13 MB.

turnerbond Fri, 06/08/2007 - 19:23

Hey: tobiasiechner: I enjoyed reading your trials and tribulations here. I've got an SB 101 router, got locked out as well, on the first try. There's definitely something wrong with the SDM software and the documentation just isn't sufficient. If I worked with routers for a living, I'd probable love this little box. I could untangle all the knots of a big box and use the service contract at work. Kind of a tough road for a small business or home user though.

Good luck !

tobiaseichner Sat, 06/09/2007 - 07:02

Now anything works... luckily ;-) Hopefully...

I agree with you, the Cisco documentation is poor and for everything else, Cisco wants to get paid. This appeared to me like buying a cheap car and having to pay a nice amount again just for getting the keys.

Actions

This Discussion