Router Remote Management Access

examples20001 · ‎12-13-2005

Hi,

I have a 1841 router with ios 12.4(3a). This router is at remote end and I want to access it with SSH(22/tcp). I have enable the ACL for it and loged it.

The log shows permited from my H.O global ip to B.O(1841) gloabl ip(22/tcp). But I get error saying "Network Error:Connection refused".

I am using PuTTY application for SSH.

Log details from router:

%SEC-6IPACCESSLOGP:list 101 permitted tcp A.B.C.53(1925)-> X.Y.Z.45(22), 1 packet

http secure server is enabled and RSA key is set in the router.

Can some body help on it please.

spremkumar · ‎12-14-2005

hi

Have u configured transport input ssh under the line vty mode ??

thats reqd to allow SSH connections but by default its just telnet which is permitted on the line vty.

regds

examples20001 · ‎12-14-2005

Thank you very much for the reply.

Yes, it is configured.

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address x.y.z.45 255.255.255.0

ip access-group 101 in

!

access-list 101 permit tcp any host x.y.z.45 eq 22 log

:

access-list 102 permit ip 172.29.96.0 0.0.0.31 any

access-list 102 deny ip any any

!

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport preferred all

transport input telnet ssh

transport output all

!

examples20001 · ‎12-14-2005

Hi,

The remote access with SSH is ok now after changing the ACL of 102. But the log for ACL 102 is showing as access from H.O(A.B.C.53) to IP address 0.0.0.0(22).

Why is it so? Is this a security flaw?

!

access-list 102 permit tcp any any eq 22 log

access-list 102 permit ip 172.29.96.0 0.0.0.31 any

access-list 102 deny ip any any

!

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport preferred all

transport input telnet ssh

transport output all

!

%SEC-6IPACCESSLOGP:list 101 permitted tcp A.B.C.53(1625)-> X.Y.Z.45(22), 1 packet

%SEC-6IPACCESSLOGP:list 102 permitted tcp A.B.C.53(1758)-> 0.0.0.0(22), 1 packet

Richard Burts · ‎12-14-2005

It is really not a security flaw. It is the fact that you used a different kind of access list. The normal usage of access list for access-class on vty is to use a standard access list. A standard access list identifies a single address (or address range) that is permitted to have remote access. An extended access list makes the logic much more complex when it identifies two address ranges, which we usually interpret as source address and destination address.

One of the advantages of access-class is that the logic that applies it realizes that any address on the router might be the destination address. If you attempted to control remote access via access-group applied to interfaces, you would have to put in a line for every interface on the router with an IP address. The logic in access-class consolidates them and says that any access attempt to any interface on the router, and so it represents the destination as 0.0.0.0. It is a feature not a flaw.

HTH

Rick

HTH

Rick

examples20001 · ‎12-14-2005

Thank you very much for the explanation.