Hi all. I have an 891W that I initially configured using CCP Express (2.5). So it has a WAN IP set, and through CCP Express I had enabled via the checkboxes the various default settings for security. This includes zone-based firewall. I then added a number of NAT entries in the setup wizard.
What never occured to me at the time was that I should have added entries that allow for remote access. So it seems I've locked myself out of accessing the router via the WAN interface even though I know it's IP. I'm sure it's just a matter of adding port exceptions for SSH and/or whatever port(s) CCP uses.
So I"m wondering what the proces woudl be. In the IOS while showing the running config., I see pages and pages of class-map stuff which at present I don't know enough about to risk editing anything directly. But maybe I don't have to? What would be the best way to, for example, enable SSH access through the firewall? I already have transport input ssh set on the interface itself so I believe it's ready to allow the connection, just that I can't get to it via WAN int. so I assume it's the firewall.
If more info is needed please let me know, and thanks!
Sorry I also meant to ask - righ tnow the WAN IP is just an IP on my internal network so I can test connection, but before deploying to the customer site I will need to change it to their WAN IP. With whatever needs doing on the firewall being done, if I change the WAN IP, will that affect the firewall or other NAT-related config?
I surely will affect things like NAT and ACL depending how it is configured.
I don't understand the my WAN IP is an IP in my internal network? so you try from inside to access the router with an outside address? that's called hairpinning and it's not possible on Cisco enterprise router models.
Could you try accessing it from inside with the inside address, is it working?
if so to test it put the outside address in a different subnet as inside and from a PC on outside interface try to access it and verify your ACL and NAT are correct then you can modify them when changing the WAN ip.
My internal subnet for my lab is 192.168.75.0/24 so I set the WAN IP for the router to 75.251/24 and plugged into into the same switch the rest of my stuff is connected to. I figure it's just another IP on my subnet so no reason I can't connect to it, plus I wouldn't have to change my PC IP settings. But that didn't work, so I had tried a direct UTP cable from PC to FE8 (WAN) on the router, no difference though.
I am able to get to 192.168.0.1 (LAN) no problem, when my PC is set to an IP in that subnet. Also, when my PC is in that 192.168.0.0/24 network, I am able to SSH (putty.exe) to 192.168.75.251 so I guess the router takes my connection in on 192.168.0.1, passes it internally to 192.168.75.251 (the "inside facing" side of the inteface?) and all is well. So it is only when I try to SSH to the WAN port on the outside that I don't get through.
Oh and the reason I had this set up with 192.168.75.251 on the wan port is just so that I can configure everything here, up to the point where I'm ready to bring it to the customer site but before powering the unit off I would just change the WAN IP to match their real one.
About NAT and ACL. I don't thin kI even have any ACL set up, unless CCP made one on it's own somehow during the initial config wizard. For NAT, the wizard did have options to set some translations which I did but those were all set for real-world for my client, like port 25 being directed to their internal mail server for example. But I never put any router mgmt ports in there thinking that they're not being redirected to another host. That's why I'm guessing I need to just add port22 (SSH) to the firewall or something but now I'm wondeing if there's more to it
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...