1721 Config Update, Pinholes and Help

Answered Question
Jul 12th, 2009
User Badges:

Hi,


I recently updated my Cisco 1721 to use IOS 12.4 so I could ssh to the router. It all seems to be running just dandy and I'm happy with that. You can view the config here:


http://www.objectevolution.com/temp/config.txt


Now, I've got a couple questions for you all:


1. I'd like to create a pinhole so to speak so I can ssh directly to a server on the internal network. I've done some research, Googling, etc. and it seems like this is the way to go:


http://www.joe-ma.co.za/page.php?15


So in my case I want to do ssh:


nat inside source static tcp MY_INTERNAL_SERVER 22 interface dialer 1 22


Right?


2. I haven't touched my config in some time and am wondering if you have suggestions for me, things to update, etc. I've got that Hardening Cisco Routers book I'm going to go through this evening. Anything else?


Heckles, suggestions always welcome ;-)


Thanks!


Jon

Correct Answer by Lucien Avramov about 7 years 8 months ago

For 1., you are correct.


I suggest you also to look at DDNS, you can have your router to register to the DDNS server when the ip on dialer int changes. That will allow you to always be able to resolve your server if you dont have a static IP and dns service.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Lucien Avramov Sun, 07/12/2009 - 15:44
User Badges:
  • Red, 2250 points or more

For 1., you are correct.


I suggest you also to look at DDNS, you can have your router to register to the DDNS server when the ip on dialer int changes. That will allow you to always be able to resolve your server if you dont have a static IP and dns service.



jwynacht Mon, 07/13/2009 - 06:02
User Badges:

Nipper is awesome! Thanks for the recommendation!

pompeychimes Mon, 07/13/2009 - 06:11
User Badges:
  • Bronze, 100 points or more

Thank Stretch. He's the one with the awesome web site.

jwynacht Tue, 07/14/2009 - 19:02
User Badges:

One more question...seems I can't do something like this:


ip nat inside source static tcp 192.168.1.60 22 interface Dialer1 33333


How come?

jwynacht Tue, 07/14/2009 - 19:19
User Badges:

Also (!!!) if I have a static ip (1 or more) I can do this too, right:


ip nat inside source static tcp 192.168.1.60 22 MY_STATIC_IP 22


??

jwynacht Tue, 07/14/2009 - 21:27
User Badges:

So, I'm thinking I'd use a PAM entry like this:


access-list 10 permit INTERNAL_SERVER_ID

ip port-map ssh port 33333 list 10


to accomplish my mapping:


outside port 33333 | inside port 22


Yeah?

jwynacht Wed, 07/15/2009 - 22:02
User Badges:

And that's exactly what I needed to do ;-)

Actions

This Discussion