cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
36
Helpful
37
Replies

Cisco 1712: Remote management software issue

tobiaseichner
Level 1
Level 1

I deal with the following issue and hope for assistance:

We use a symmetric DSL line that is connected with a Cisco 1712 router that manages traffic for our Unix servers.

The remote management software we want to use requires access to ports 3283 and 5900. Since the server's firewall is correctly configured, but still can't get access using this software, I feel that the ports of the router are blocked by default.

But how can I check this (I have no experience managing the router over the terminal and the webpanel of the router shows that the firewall can't be managed this way because of the fact that ACLs have been used ?

Can someone provide me with tips or hints where to look ?

37 Replies 37

Richard Burts
Hall of Fame
Hall of Fame

Tobias

Your description does sound like an access list is blocking those ports. If you will post the config of the router (masking out passwords and sensitive information) we can advise you how to modify the access list to permit those ports.

HTH

Rick

HTH

Rick

Thank you for trying to assist me :-)

Okay, here is the configuration (telnet session opened, command "enable", command "show conf"). If you need anything else, please let me know.

Using 2124 out of 29688 bytes

!

! Last configuration change at 12:08:32 PCTime Tue Sep 19 2006

! NVRAM config last updated at 12:08:44 PCTime Tue Sep 19 2006

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname adsl-gw

!

boot-start-marker

boot-end-marker

!

logging buffered 10000 debugging

enable secret 5 *************************************

!

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

!

ip cef

ip ips po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

isdn switch-type basic-net3

!

!

!

!

no crypto isakmp ccm

!

!

!

interface BRI0

no ip address

shutdown

isdn switch-type basic-net3

!

interface FastEthernet0

description zum DSL modem

no ip address

speed auto

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Vlan1

description LAN

ip address 194.77.x.x.255.255.248

!

interface Dialer1

description T-DSL dialer

ip address negotiated

ip access-group 103 in

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp chap refuse

ppp pap sent-username ******** password 7 **********

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 9

no ip http secure-server

!

!

!

access-list 9 permit 194.77.100.88 0.0.0.7

access-list 101 permit ip any any

access-list 102 permit ip 195.143.235.176 0.0.0.7 any

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet

access-list 103 permit ip any any

dialer-list 1 protocol ip list 101

!

!

control-plane

!

!

line con 0

password 7 *************************************

login

line aux 0

line vty 0 4

password 7 *************************************

login

!

end

I hope I have removed all passwords, think so (they are replaced by * chars).

Tobias

I have looked at the config that you posted and I do not see anything in it that would prevent traffic on the ports that you mention. Is there perhaps some other part of the network that the traffic passes through that could impact it?

Also: the command that you used to get the configuration was show conf. For troubleshooting it is better to use the command show running-config. show conf gets the configuration file that is stored in NVRAM (and is the config that the router would use if it suddenly rebooted). show running-config gets the configuration file that is actually active on the router. It is possible that some configuration changes could have been made but not yet saved to NVRAM. show running-config would see these changes but show conf would not.

HTH

Rick

HTH

Rick

Our network topology is as following:

sDSL ---> Cisco 1712 ---> Switch --->WLAN (Apple AirPort Extreme)

I---> Servers

So when we access our servers we cannot go through the LAN, but use an Internet connection to access them.

The only point I can imagine that interferes is the AirPort station (WLAN router/gateway). But I don't see a configurable firewall there. Just an option to enable SNMP for it, but guess that is not related to this topic.

By the way, here is the output from show running-config:

adsl-gw#show running-config

Building configuration...

Current configuration : 2083 bytes

!

! Last configuration change at 01:16:32 PCTime Sun Nov 5 2006 by adsl07027@viadsl.de

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname adsl-gw

!

boot-start-marker

boot-end-marker

!

logging buffered 10000 debugging

enable secret 5 *****

!

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

!

ip cef

ip ips po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

isdn switch-type basic-net3

!

!

!

!

no crypto isakmp ccm

!

!

!

interface BRI0

no ip address

shutdown

isdn switch-type basic-net3

!

interface FastEthernet0

description zum DSL modem

no ip address

speed auto

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Vlan1

description LAN

ip address 194.77.100.89 255.255.255.248

!

interface Dialer1

description T-DSL dialer

ip address negotiated

ip access-group 103 in

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp chap refuse

ppp pap sent-username ******** password 7 ******

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 9

no ip http secure-server

!

!

!

access-list 9 permit 194.77.100.88 0.0.0.7

access-list 101 permit ip any any

access-list 102 permit ip 195.143.235.176 0.0.0.7 any

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet

access-list 103 permit ip any any

dialer-list 1 protocol ip list 101

!

!

control-plane

!

!

line con 0

password 7 **********

login

line aux 0

line vty 0 4

password 7 ************

login

!

end

And an off-topic question: Is it possible to configure the router to take the date/time from a NTP server ? I noticed that the date stamp is totally wrong and I have only the ability to syncronize with my local computer when having the webpanel open which is a bit inconvenient.

I also should mention that a port scanning done with a network utility results in just showing nothing. After five minutes, I interrupted the process. Maybe it has to do something with it, but don't think.

Hi ,

configure the following command so that your router will synchronize with ntp server.

router(config)# ntp server .

Hope it helps you.

Thanks,

satish

Unfortunately I only have the domain address not the IP of the server, guess this was the reason why I failed.

Is it it possible to do it also with just the URL ?

I found the problem finally. It was in the WLAN access station we connected. There I had to enable port forwarding for the specific ports this software uses to the LAN-IP of my computer.

Just one issue left: How safe is it to enable port forwarding ? Of course, I ensured that no one can use this remote mgt. software to control my computer - but personally I find it not safe to have open ports. Is there anything I should take care ?

Unfortunately I can't disable them and open only upon request, because I workd daily with this software and so it becomes too inconvenient.

Anyway, thank you for your support by checking my router configuration :-)

Tobias

I am glad that you found the problem and fixed it. And I am glad that our discussion was helpful in eliminating potential causes such as the router config. It is frequently an important part of troubleshooting to identify likely sources of the problem, investigate them, realize that they are not really the source of the problem and go on to identify other possible sources of the problem until you get to the actual source of the problem.

And thanks for posting back to the forum indicating that the problem was resolved and what resolved it. It makes the forum more useful when people can read about a problem and can then read about what really solved the problem.

HTH

Rick

HTH

Rick

May I ask you another question: Since I now have to enable port forwarding for two ports I feel that this could be a potential security risk.

Due to how our network is built, the wireless LAN base station has an own WAN-IP assigned (it is connected to the switch that is connected to the Cisco Router).

Is it possible to create an ACL (as did for ports 22 and 23) that allows only access to these ports by given IP addresses (the ones of our two servers) ?

I think that this would make it more secure, because the router would block any accesses to these ports outside our IP range, wouldn't ?

If so, can you assist me in creating an ACL list for this purpose ? I would need a step-by-step advise for creating an ACL via the terminal and save it to the router configuration.

Hi ,

You can create extended access-list to allow only specific ip address to access these ports.

ex: access-list 102 permit tcp tcp source source-wildcard destination destination-wildcard port.

Like that create access-list for tcp and udp and apply it on dialer.

Thanks,

satish

Thanks,

satish

Tobias

satish has provided an outline of what you need in the access list. If that is enough to get you going it is fine. If you need more detailed help then I need a little clarification from you. Your post mentioned that you need to have access on ports 3283 and 5900 but is not clear whether they are TCP ports or UDP ports. Can you clarify that? Also am I correct in assuming that 194.77.100.88 0.0.0.7 are the destination addresses you wish to access on those ports? If not what are the destination addresses? Also we need to know what source addresses you wish to have access on these ports. If you can tell us these detail then I can give you specific details of how to do this and get it into the router.

In general the approach will be to use the existing access list 103 which is applied to the dialer. We will add statements to permit your specified source addresses to your specified destination addresses on the specified ports. Then we will add statements to deny any source addresses to the specified destination addresses on the specified ports. We will need to make sure that these statements come before the general permit in the access list.

HTH

Rick

HTH

Rick

Thank you. Unfortunately I would need instructions for dummys, because I have really no experience with this Router configuration.

I answer your questions from your last post in the following; let me know if you need to know anything else.

The ports 3283 and 5900 require both, TCP and UDP access.

194.77.100.89 is the IP of the router, 194.77.100.90 of our WLAN gateway (which assigns locally used IPs according the 10.0.x.x scheme). The two servers are 194.77.100.91 and 194.77.100.92.

So generally all these IPs should be able to share these ports with each other, but do not allow accessing them from "outside" ranges.

Using the existing list 103 is fine, just to note that the existing rules should not get overwritten.

Basically the list 103 already contains a sample (we have blocked ports 21 and 22 being used only by our IP range and so I want to do this also with the new ports). Hope this makes sense to you.

Tobias

I will be able to give you detailed instructions when we have all the questions answered. You have clarified that the ports need both TCP and UDP and we will include both. You have clarified that the destination addresses are subnet 194.77.100.88. However I am still not clear what source addresses should be permitted. Where will you be (on what addresses) when you use this remote management software? The examples you give in access list 103 deny any remote access via telnet of SSH to the destination address. Do you want to deny all remote access on these ports or are there some addresses that should be permitted?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco