871W External Management

Answered Question
Nov 16th, 2009
User Badges:

After much dabbling, I have my Cisco 871W working perfectly with ezvpn to a central ASA5505. Wireless is all good and the tunnel to the main office is reliable. Sorted!!


I have one last thing that I can't figure out. I want to manage the router from the main site through SSH or HTTPS and have tried all sorts on the firewall to get this sorted. The subnet that I will manage from will be 10.1.10.0/23 if that helps...


I've attached the config for reference.


Any pointers would be much appreciated so I can draw a line under the config and ship it out to the customer.


Thanks in advance...


Campbell Thompson



Attachment: 
Correct Answer by paolo bevilacqua about 7 years 6 months ago

Not sure, I've seen ZBFW only cause problems but never do any good.


You have NAT, nobody can attack you from outside. At least that is my experience in 12 years on installing routers with NAT.


Please remember to rate useful posts with the scrollbox below.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paolo bevilacqua Mon, 11/16/2009 - 13:49
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I would begin with:


interface FastEthernet4

no zone-member security out-zone


interface Vlan1

no ip tcp adjust-mss 1452


interface BVI1

no zone-member security in-zone

no ip tcp adjust-mss 1412


no ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp



You could remove more commands, I've indicated what jumps to the eye.

campbell.thomps... Mon, 11/16/2009 - 14:04
User Badges:

Okay, that works, but ideally, I'd like to make use of the zone based firewall. Which zone would I need to change and how?

Correct Answer
paolo bevilacqua Mon, 11/16/2009 - 14:10
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Not sure, I've seen ZBFW only cause problems but never do any good.


You have NAT, nobody can attack you from outside. At least that is my experience in 12 years on installing routers with NAT.


Please remember to rate useful posts with the scrollbox below.

campbell.thomps... Mon, 11/16/2009 - 16:16
User Badges:

I really appreciate he help. I agree that I'm more than secure, especially as the 871 is sitting in the client's own firewalled network, so there's limited risk.


I know that Cisco claim that the ZBF is supposed to make things more logical an simpler! I'm not sure that I agree!!!


Thanks again for the help...


Campbell Thompson

http://www.etonbridge.com/

paolo bevilacqua Tue, 11/17/2009 - 05:30
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

No problem, thank you for the nice rating and good luck!

Petar Milanov Wed, 12/09/2009 - 06:12
User Badges:

Hi  Campbell,


To manage your router through SSH or HTTPS, you have to define class-map for this to protocols and to attach it to  policy-map "ccp-permit".  Copy that lines below to your config:


!

class-map type inspect match-any ssh-https-class

match protocol ssh

match protocol https

class-map type inspect management-class

match class-map ssh-https-class

match access-group 10

!

access-list 10 permit 10.1.10.0 0.0.0.255

!

policy-map type inspect ccp-permit
class type inspect management-class

  inspect

!


Now you should have access to your remote router through ssh ot https


Best Regards,

Tihomir Yosifov

Actions

This Discussion