cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
0
Helpful
6
Replies

871W External Management

After much dabbling, I have my Cisco 871W working perfectly with ezvpn to a central ASA5505. Wireless is all good and the tunnel to the main office is reliable. Sorted!!

I have one last thing that I can't figure out. I want to manage the router from the main site through SSH or HTTPS and have tried all sorts on the firewall to get this sorted. The subnet that I will manage from will be 10.1.10.0/23 if that helps...

I've attached the config for reference.

Any pointers would be much appreciated so I can draw a line under the config and ship it out to the customer.

Thanks in advance...

Campbell Thompson

1 Accepted Solution

Accepted Solutions

Not sure, I've seen ZBFW only cause problems but never do any good.

You have NAT, nobody can attack you from outside. At least that is my experience in 12 years on installing routers with NAT.

Please remember to rate useful posts with the scrollbox below.

View solution in original post

6 Replies 6

paolo bevilacqua
Hall of Fame
Hall of Fame

I would begin with:

interface FastEthernet4

no zone-member security out-zone

interface Vlan1

no ip tcp adjust-mss 1452

interface BVI1

no zone-member security in-zone

no ip tcp adjust-mss 1412

no ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp

You could remove more commands, I've indicated what jumps to the eye.

Okay, that works, but ideally, I'd like to make use of the zone based firewall. Which zone would I need to change and how?

Not sure, I've seen ZBFW only cause problems but never do any good.

You have NAT, nobody can attack you from outside. At least that is my experience in 12 years on installing routers with NAT.

Please remember to rate useful posts with the scrollbox below.

I really appreciate he help. I agree that I'm more than secure, especially as the 871 is sitting in the client's own firewalled network, so there's limited risk.

I know that Cisco claim that the ZBF is supposed to make things more logical an simpler! I'm not sure that I agree!!!

Thanks again for the help...

Campbell Thompson

http://www.etonbridge.com/

No problem, thank you for the nice rating and good luck!

Petar Milanov
Level 1
Level 1

Hi  Campbell,

To manage your router through SSH or HTTPS, you have to define class-map for this to protocols and to attach it to  policy-map "ccp-permit".  Copy that lines below to your config:

!

class-map type inspect match-any ssh-https-class

match protocol ssh

match protocol https

class-map type inspect management-class

match class-map ssh-https-class

match access-group 10

!

access-list 10 permit 10.1.10.0 0.0.0.255

!

policy-map type inspect ccp-permit
class type inspect management-class

  inspect

!

Now you should have access to your remote router through ssh ot https

Best Regards,

Tihomir Yosifov

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: