Re: unable to SSH from the outside with an alternate port
Presumably, based on the contents of the DenyStdSSH ACL, you want to access your router via SSH on port 8500. If you will access this port from the outside interface, the first thing that I notice is that your standard ACL 101 does not permit it. Assuming you will be using the outside IP address, then nothing else is needed.
You should also think about using a loopback address on your router for management. With your nat configuration, you will also need a static port mapping to make that work from the outside.
Edit: I think your ACL 101 needs a complete rework, actually. For example, you have this line:
access-list 101 permit tcp any eq www any log
I presume that you intend to allow users within your network access to the Internet, but this line actually lets the Internet access a web server within your network (except that the NAT configuration doesn't allow it). Are you hosting a web site?
- Configured SSH for an alternate port but it does not work inbound from the "world"
I saw you have an access-class DenyStdSSH on your VTY line but I didn´t see any ACL with this name.
You should have this command on VTY:
ipsshport "portnum"rotary "group"
- I can connect SSH internally using SecureCRT from inside my network
- I also have other services that I cannot get to from the outside
- And if I can throw this in I am trying to BLOCK....SNMP and NTP inbound
Use Context-Based Access Control (CBAC), normal ACL probably will fail.
- When I scan the Router external IP it shows SNMP...and NTP as "open"
If you are not using it, disable it. If you are using it for SNMP and NTP you can use a highly complex SNMP Community for security and NTP allows to specify to who to speak. You can specify the source for NTP to sync.
-If I helped you somehow, please, rate it as useful.-
I'm working on a project that includes basic router configurations. I configurated everything including: line console 0, line vty 0 15 and secret passwords. There are 3 routers in the network and every LAN is going t...