Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

891W: Changing WAN IP, opening remote mgmt ports

Hi all.  I have an 891W that I initially configured using CCP Express (2.5).  So it has a WAN IP set, and through CCP Express I had enabled via the checkboxes the various default settings for security.  This includes zone-based firewall.  I then added a number of NAT entries in the setup wizard. 

What never occured to me at the time was that I should have added entries that allow for remote access.  So it seems I've locked myself out of accessing the router via the WAN interface even though I know it's IP.  I'm sure it's just a matter of adding port exceptions for SSH and/or whatever port(s) CCP uses. 

So I"m wondering what the proces woudl be.  In the IOS while showing the running config., I see pages and pages of class-map stuff which at present I don't know enough about to risk editing anything directly.  But maybe I don't have to?  What would be the best way to, for example, enable SSH access through the firewall?  I already have transport input ssh set on the interface itself so I believe it's ready to allow the connection, just that I can't get to it via WAN int. so I assume it's the firewall. 

If more info is needed please let me know, and thanks! 

4 REPLIES
New Member

891W: Changing WAN IP, opening remote mgmt ports

Sorry I also meant to ask - righ tnow the WAN IP is just an IP on my internal network so I can test connection, but before deploying to the customer site I will need to change it to their WAN IP.  With whatever needs doing on the firewall being done, if I change the WAN IP, will that affect the firewall or other NAT-related config? 

Purple

891W: Changing WAN IP, opening remote mgmt ports

Hi,

I surely will affect things like NAT and ACL depending how it is configured.

I don't understand the  my WAN IP is an IP in my internal network? so you try from inside to access the router with an outside address? that's called hairpinning and it's not possible on Cisco enterprise router models.

Could you try accessing it from inside with the inside address, is it working?

if so to test it put the outside address in a different subnet as inside and from a PC on outside interface try to access it and verify your ACL  and NAT are correct then you can modify them when changing the WAN ip.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

891W: Changing WAN IP, opening remote mgmt ports

Hi Alain,

Yeah my info here was not well presented. 

My internal subnet for my lab is 192.168.75.0/24 so I set the WAN IP for the router to 75.251/24 and plugged into into the same switch the rest of my stuff is connected to.  I figure it's just another IP on my subnet so no reason I can't connect to it, plus I wouldn't have to change my PC IP settings.  But that didn't work, so I had tried a direct UTP cable from PC to FE8 (WAN) on the router, no difference though. 

I am able to get to 192.168.0.1 (LAN) no problem, when my PC is set to an IP in that subnet.  Also, when my PC is in that 192.168.0.0/24 network, I am able to SSH (putty.exe) to 192.168.75.251 so I guess the router takes my connection in on 192.168.0.1, passes it internally to 192.168.75.251 (the "inside facing" side of the inteface?) and all is well.  So it is only when I try to SSH to the WAN port on the outside that I don't get through. 

Oh and the reason I had this set up with 192.168.75.251 on the wan port is just so that I can configure everything here, up to the point where I'm ready to bring it to the customer site but before powering the unit off I would just change the WAN IP to match their real one. 

About NAT and ACL.  I don't thin kI even have any ACL set up, unless CCP made one on it's own somehow during the initial config wizard.  For NAT, the wizard did have options to set some translations which I did but those were all set for real-world for my client, like port 25 being directed to their internal mail server for example.  But I never put any router mgmt ports in there thinking that they're not being redirected to another host.  That's why I'm guessing I need to just add port22 (SSH) to the firewall or something but now I'm wondeing if there's more to it

Purple

891W: Changing WAN IP, opening remote mgmt ports

Hi,

It's really hard to follow what you did but I think the config will tell us more as well as a diagram( please not in visio format).

Regards.

Alain

Don't forget to rate helpful posts.
786
Views
0
Helpful
4
Replies
CreatePlease login to create content