Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 1712: Remote management software issue

I deal with the following issue and hope for assistance:

We use a symmetric DSL line that is connected with a Cisco 1712 router that manages traffic for our Unix servers.

The remote management software we want to use requires access to ports 3283 and 5900. Since the server's firewall is correctly configured, but still can't get access using this software, I feel that the ports of the router are blocked by default.

But how can I check this (I have no experience managing the router over the terminal and the webpanel of the router shows that the firewall can't be managed this way because of the fact that ACLs have been used ?

Can someone provide me with tips or hints where to look ?

37 REPLIES
Hall of Fame Super Silver

Re: Cisco 1712: Remote management software issue

Tobias

Your description does sound like an access list is blocking those ports. If you will post the config of the router (masking out passwords and sensitive information) we can advise you how to modify the access list to permit those ports.

HTH

Rick

New Member

Re: Cisco 1712: Remote management software issue

Thank you for trying to assist me :-)

Okay, here is the configuration (telnet session opened, command "enable", command "show conf"). If you need anything else, please let me know.

Using 2124 out of 29688 bytes

!

! Last configuration change at 12:08:32 PCTime Tue Sep 19 2006

! NVRAM config last updated at 12:08:44 PCTime Tue Sep 19 2006

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname adsl-gw

!

boot-start-marker

boot-end-marker

!

logging buffered 10000 debugging

enable secret 5 *************************************

!

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

!

ip cef

ip ips po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

isdn switch-type basic-net3

!

!

!

!

no crypto isakmp ccm

!

!

!

interface BRI0

no ip address

shutdown

isdn switch-type basic-net3

!

interface FastEthernet0

description zum DSL modem

no ip address

speed auto

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Vlan1

description LAN

ip address 194.77.x.x.255.255.248

!

interface Dialer1

description T-DSL dialer

ip address negotiated

ip access-group 103 in

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp chap refuse

ppp pap sent-username ******** password 7 **********

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 9

no ip http secure-server

!

!

!

access-list 9 permit 194.77.100.88 0.0.0.7

access-list 101 permit ip any any

access-list 102 permit ip 195.143.235.176 0.0.0.7 any

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet

access-list 103 permit ip any any

dialer-list 1 protocol ip list 101

!

!

control-plane

!

!

line con 0

password 7 *************************************

login

line aux 0

line vty 0 4

password 7 *************************************

login

!

end

I hope I have removed all passwords, think so (they are replaced by * chars).

Hall of Fame Super Silver

Re: Cisco 1712: Remote management software issue

Tobias

I have looked at the config that you posted and I do not see anything in it that would prevent traffic on the ports that you mention. Is there perhaps some other part of the network that the traffic passes through that could impact it?

Also: the command that you used to get the configuration was show conf. For troubleshooting it is better to use the command show running-config. show conf gets the configuration file that is stored in NVRAM (and is the config that the router would use if it suddenly rebooted). show running-config gets the configuration file that is actually active on the router. It is possible that some configuration changes could have been made but not yet saved to NVRAM. show running-config would see these changes but show conf would not.

HTH

Rick

New Member

Re: Cisco 1712: Remote management software issue

Our network topology is as following:

sDSL ---> Cisco 1712 ---> Switch --->WLAN (Apple AirPort Extreme)

I---> Servers

So when we access our servers we cannot go through the LAN, but use an Internet connection to access them.

The only point I can imagine that interferes is the AirPort station (WLAN router/gateway). But I don't see a configurable firewall there. Just an option to enable SNMP for it, but guess that is not related to this topic.

By the way, here is the output from show running-config:

adsl-gw#show running-config

Building configuration...

Current configuration : 2083 bytes

!

! Last configuration change at 01:16:32 PCTime Sun Nov 5 2006 by adsl07027@viadsl.de

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname adsl-gw

!

boot-start-marker

boot-end-marker

!

logging buffered 10000 debugging

enable secret 5 *****

!

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

!

ip cef

ip ips po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

isdn switch-type basic-net3

!

!

!

!

no crypto isakmp ccm

!

!

!

interface BRI0

no ip address

shutdown

isdn switch-type basic-net3

!

interface FastEthernet0

description zum DSL modem

no ip address

speed auto

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Vlan1

description LAN

ip address 194.77.100.89 255.255.255.248

!

interface Dialer1

description T-DSL dialer

ip address negotiated

ip access-group 103 in

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp chap refuse

ppp pap sent-username ******** password 7 ******

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 9

no ip http secure-server

!

!

!

access-list 9 permit 194.77.100.88 0.0.0.7

access-list 101 permit ip any any

access-list 102 permit ip 195.143.235.176 0.0.0.7 any

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet

access-list 103 permit ip any any

dialer-list 1 protocol ip list 101

!

!

control-plane

!

!

line con 0

password 7 **********

login

line aux 0

line vty 0 4

password 7 ************

login

!

end

And an off-topic question: Is it possible to configure the router to take the date/time from a NTP server ? I noticed that the date stamp is totally wrong and I have only the ability to syncronize with my local computer when having the webpanel open which is a bit inconvenient.

New Member

Re: Cisco 1712: Remote management software issue

I also should mention that a port scanning done with a network utility results in just showing nothing. After five minutes, I interrupted the process. Maybe it has to do something with it, but don't think.

Silver

Re: Cisco 1712: Remote management software issue

Hi ,

configure the following command so that your router will synchronize with ntp server.

router(config)# ntp server .

Hope it helps you.

Thanks,

satish

New Member

Re: Cisco 1712: Remote management software issue

Unfortunately I only have the domain address not the IP of the server, guess this was the reason why I failed.

Is it it possible to do it also with just the URL ?

New Member

Re: Cisco 1712: Remote management software issue

I found the problem finally. It was in the WLAN access station we connected. There I had to enable port forwarding for the specific ports this software uses to the LAN-IP of my computer.

Just one issue left: How safe is it to enable port forwarding ? Of course, I ensured that no one can use this remote mgt. software to control my computer - but personally I find it not safe to have open ports. Is there anything I should take care ?

Unfortunately I can't disable them and open only upon request, because I workd daily with this software and so it becomes too inconvenient.

Anyway, thank you for your support by checking my router configuration :-)

Hall of Fame Super Silver

Re: Cisco 1712: Remote management software issue

Tobias

I am glad that you found the problem and fixed it. And I am glad that our discussion was helpful in eliminating potential causes such as the router config. It is frequently an important part of troubleshooting to identify likely sources of the problem, investigate them, realize that they are not really the source of the problem and go on to identify other possible sources of the problem until you get to the actual source of the problem.

And thanks for posting back to the forum indicating that the problem was resolved and what resolved it. It makes the forum more useful when people can read about a problem and can then read about what really solved the problem.

HTH

Rick

New Member

Re: Cisco 1712: Remote management software issue

May I ask you another question: Since I now have to enable port forwarding for two ports I feel that this could be a potential security risk.

Due to how our network is built, the wireless LAN base station has an own WAN-IP assigned (it is connected to the switch that is connected to the Cisco Router).

Is it possible to create an ACL (as did for ports 22 and 23) that allows only access to these ports by given IP addresses (the ones of our two servers) ?

I think that this would make it more secure, because the router would block any accesses to these ports outside our IP range, wouldn't ?

If so, can you assist me in creating an ACL list for this purpose ? I would need a step-by-step advise for creating an ACL via the terminal and save it to the router configuration.

Silver

Re: Cisco 1712: Remote management software issue

Hi ,

You can create extended access-list to allow only specific ip address to access these ports.

ex: access-list 102 permit tcp tcp source source-wildcard destination destination-wildcard port.

Like that create access-list for tcp and udp and apply it on dialer.

Thanks,

satish

Thanks,

satish

Hall of Fame Super Silver

Re: Cisco 1712: Remote management software issue

Tobias

satish has provided an outline of what you need in the access list. If that is enough to get you going it is fine. If you need more detailed help then I need a little clarification from you. Your post mentioned that you need to have access on ports 3283 and 5900 but is not clear whether they are TCP ports or UDP ports. Can you clarify that? Also am I correct in assuming that 194.77.100.88 0.0.0.7 are the destination addresses you wish to access on those ports? If not what are the destination addresses? Also we need to know what source addresses you wish to have access on these ports. If you can tell us these detail then I can give you specific details of how to do this and get it into the router.

In general the approach will be to use the existing access list 103 which is applied to the dialer. We will add statements to permit your specified source addresses to your specified destination addresses on the specified ports. Then we will add statements to deny any source addresses to the specified destination addresses on the specified ports. We will need to make sure that these statements come before the general permit in the access list.

HTH

Rick

New Member

Re: Cisco 1712: Remote management software issue

Thank you. Unfortunately I would need instructions for dummys, because I have really no experience with this Router configuration.

I answer your questions from your last post in the following; let me know if you need to know anything else.

The ports 3283 and 5900 require both, TCP and UDP access.

194.77.100.89 is the IP of the router, 194.77.100.90 of our WLAN gateway (which assigns locally used IPs according the 10.0.x.x scheme). The two servers are 194.77.100.91 and 194.77.100.92.

So generally all these IPs should be able to share these ports with each other, but do not allow accessing them from "outside" ranges.

Using the existing list 103 is fine, just to note that the existing rules should not get overwritten.

Basically the list 103 already contains a sample (we have blocked ports 21 and 22 being used only by our IP range and so I want to do this also with the new ports). Hope this makes sense to you.

Hall of Fame Super Silver

Re: Cisco 1712: Remote management software issue

Tobias

I will be able to give you detailed instructions when we have all the questions answered. You have clarified that the ports need both TCP and UDP and we will include both. You have clarified that the destination addresses are subnet 194.77.100.88. However I am still not clear what source addresses should be permitted. Where will you be (on what addresses) when you use this remote management software? The examples you give in access list 103 deny any remote access via telnet of SSH to the destination address. Do you want to deny all remote access on these ports or are there some addresses that should be permitted?

HTH

Rick

New Member

Re: Cisco 1712: Remote management software issue

> However I am still not clear what source addresses should be permitted. Where will you be (on what addresses) when you use this remote management software? The examples you give in access list 103 deny any remote access via telnet of SSH to the destination address. Do you want to deny all remote access on these ports or are there some addresses that should be permitted?

No, all remote access should be denied. Only accesses that occurs from our IP range must be allowed.

I manage the servers from within our local WLAN network only, not from outside IPs.

Please let me know if you need more details.

Silver

Re: Cisco 1712: Remote management software issue

Hi ,

Hi ,

In your previous post , you configued the following access-lists.

access-list 9 permit 194.77.100.88 0.0.0.7

access-list 102 permit ip 195.143.235.176 0.0.0.7 any

Can i assume 194.77.100.88 block belongs to servers ?

Then what is the purpose of 195.143.235.176 this block ?

To create extended access-list to access ports of server we need to know source ip address and destination ip addresses.In your case 194.77.100.88 block belongs to destinations.

Which ip addresses you are using as a source addresses to access those servers ? means from which ip's you are accessing servers.

Thanks,

satish

New Member

Re: Cisco 1712: Remote management software issue

> Can i assume 194.77.100.88 block belongs to servers ?

> Then what is the purpose of 195.143.235.176 this block ?

Confessed, I have no idea. The access lists where originally done by our ISP that has done a one-time configuration of the router (which was free at this time).

When I understand this access list correctly, this IP address has also access to everything ?

I'll clarify this tomorrow with our ISP (local time 23 o'clock). If it is unused I would like to remove (or at least disable) this access list.

I'm ashamed to ask, but can you show to me how I would enable/disable ACLs ?

> To create extended access-list to access ports of server we need to know source ip address and destination ip addresses.In your case 194.77.100.88 block belongs to destinations.

You may check my other replies made, but here is it summarized:

Allowed source and destination IPs are our own IP range only (currently 194.77.100.89 to 194.77.100.95).

Ports are 3283 and 5900 (TCP and UDP).

Basically it should be the same as ACL 103 (which blocks 22 and 23, telnet and ssh) from outside.

Silver

Re: Cisco 1712: Remote management software issue

Hi ,

Can I assume 192.77.100.91 and 194.77.100.92 are destination ip?s (i.e server ip's)

And 192.77.100.88 ,89,90,93 and 94 as source ip?s(PC's or LAN ip's from which you are accessing servers).

Can you clarify one thing ? which ip addresses are used by users to access servers ?

>I'm ashamed to ask, but can you show to me how I would enable/disable ACLs ?

You can create an access-list ,

router#config

router(config)#access-list 10 permit host x.x.x.x.

If you want to delete an access-list , follow the below steps.

router#config

router(config)#no access-list 10 permit host x.x.x.x.

The main difference between standard access-list and extended access-list are.

standard access-list : 1. you can use 1-99 while specifying access-list

2.it conatins only source address

extended access-list : you can use 100-199 while specifying access-list.

2.we can specify range for both source and destination addresse along ports.

please rate this....

Thanks,

satish

New Member

Re: Cisco 1712: Remote management software issue

Thank you for your post. When I follow your steps, are the access lists then permanently stored on the router (in the NVRAM) or have I save them in any way ?

The IP addresses used by the servers are 194.77.100.91 and 194.77.100.92.

All other IPs can be considered as source IPs, but 194.77.100.88 seems to be something required for technical reasons (we cannot use this IP, our Cisco router starts at ...89).

Silver

Re: Cisco 1712: Remote management software issue

Hi ,

I agree with you , router ip address is 194.77.100.88

Let me explain this clearly.Take access-list 103 as a reference i.e

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22

Here destination has 7 ip addresses , starting from 194.77.100.88 to 194.77.100.94.

Out of these two ip's i.e 194.77.100.91 and 194.77.100.92 are used for servers and 94.77.100.89 is used for router.

According to you remaining 4 ip's i.e 194.77.100.88 ,90,93 and 94 are belongs to pc's(source) from which are you are accessing servers .

Am i correct ? If this is correct then we create extended access-list for accessing servers using ports.

Thanks,

satish

New Member

Re: Cisco 1712: Remote management software issue

We have also assigned 194.77.100.95, but I can remember that it is not available to us for some technical reasons.

Yes, you are correct with the IPs.

However if possible I want to use the same scheme as the access list 103 did (allow all traffic from our IP range, disallow outside traffic), there is no need to set up a per-IP configuration.

I look forward your explanation on how to set up an access list (please also include commands for saving the ACLs, so not that they get lost in case of a power outage).

New Member

Re: Cisco 1712: Remote management software issue

Okay, I felt having my lucky day today and so tried with the information I had, rburts and smothuku provided, the router configuration. It seemed to work, so when doing "show conf" ("show running-config" displays the same) I get the following access list information:

access-list 9 permit 194.77.100.88 0.0.0.7

access-list 101 permit ip any any

access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 3283

access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq 3283

access-list 102 deny udp any 194.77.100.88 0.0.0.7 eq 5900

access-list 102 deny tcp any 194.77.100.88 0.0.0.7 eq 5900

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet

access-list 103 permit ip any any

dialer-list 1 protocol ip list 101

So... is there anything correct ?

In my understanding it works as follows:

ACL 102 denies traffic for ports 3283&5900 (tcp and udp) from "any" outside IP to all IPs within our range.

Silver

Re: Cisco 1712: Remote management software issue

Hi ,

After configuring the above access-lists did you check the accessing of your servers from your lan pc's.

Are you able to access servers from your lan ip's ?

Thanks,

satish

New Member

Re: Cisco 1712: Remote management software issue

Yes, I'm able to use these ports internally.

Anything else is correct (reaching the ports from outside our IP range should not work), isn't ? Can you check this ?

Hall of Fame Super Silver

Re: Cisco 1712: Remote management software issue

Tobias has created a new access list 102. It is not clear whether he has configured access-group to assign the access list to an interface. Without the access-group assignment even though the access list exists it will do no work.

I wonder about the reasons to create a different access list. If my understanding of the functionality is correct it seems to me to make more sense to add the statements for these ports to the existing access list 103 rather than creating a new access list.

Also there is a logic problem with access list 102. The syntax is correct to deny TCP and UDP ports 3283 and 5900 from any source address to any destination address in their subnet. But the access list has only deny statements and has no permit statements. If this access list is assigned to an inteface no traffic will be permitted. The access list explicit deny statements will deny some traffic and the implicit deny at the end of the access list will deny everything else. It is a basic principle of access lists that every access list must permit something. So if access list 102 will be kept it should end with this:

access-list 102 permit ip any any

HTH

Rick

Silver

Re: Cisco 1712: Remote management software issue

Hi Rick ,

You are correct, access-list 102 should end up with permit statement.

I think Tobias might have not applied access-list to dialer interface using ip access-group 102 in.

*** good suggestion from Rick.

Tobias check out this.

Thanks,

satish

New Member

Re: Cisco 1712: Remote management software issue

Thank you for your notes.

But please also let me know how I can fix that.

I can add "access-list 102 permit ip any any" - would this solve the problem ? Or is this jus considered as "good style" ?

My idea of how this works is that a packet is checked for each access list. If it "goes through" each access list and is still permitted, it will be sent. As soon as it is declined by a list, other checks are cancelled and packet is not sent.

So please let me know which additional steps I need to perform to make it work.

Hall of Fame Super Silver

Re: Cisco 1712: Remote management software issue

Tobias

The permit ip any any is more than just "good style". As I explained an access list that does not have at least one permit statement will effectively deny all traffic. That is more basic functionality than good style.

I am not sure that you understood my point about assigning the access list so let me go into that a bit more deeply. Using access lists is really a two step process: you must create the access list and then you must assign the access list. Until you assign the access list it does not really do anything and no traffic is checked against an access list that is not assigned. The config that you posted assigned access list 103 as operating inbound. I am not clear that you assigned access list 102 after you created it. If you did not assign it then it is not being used to control traffic. And an interface can have only one access list (in each direction - one in and one out). So you can not use both 102 and 103 in conjunction (which seems to be how you are thinking of them).

So here is my suggestion of how to fix the access list. You need to add new statements into access list 103. And to add new statements you need to delete the access list and then to rebuild the access list. This is what I suggest that you do:

config term

interface dialer1

no ip access-group 103 in

exit

no access-list 103

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 3283

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 3283

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 5900

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 5900

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22

access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23

access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet

access-list 103 permit ip any any

interface dialer1

ip access-group 103 in

end

copy running-config startup-config

This will create an access list with the right statements in the right order and correctly assigned to the interface. Try this and let us know how it works.

HTH

Rick

Silver

Re: Cisco 1712: Remote management software issue

Hi ,

Rick is correct..and check access to servers after configuring access-lists.

Rick :I have small dought..Any access-list without applying to any interface using ip access-group in or out is useless..I think i am correct...

Let take one example..I have created an extended access-list 150 (inbound or outbound which ever it may be) and applied it to some interface using ip access-group..

Afterwards i have craeted few more extended access-list 150.

My question is , Is it necessary to remove ip access-group from interface before configuring access-list 150 ?

Suppose if i create extended access-list without removing ip access-group from interface , will they work or not ?

Hope so you got my question ...

Thanks,

satish

321
Views
36
Helpful
37
Replies