Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
2
Replies

Problems allowing SFTP in from internet

DJCanuck1_2
Level 1
Level 1

‎11-27-2010 09:46 PM - edited ‎03-04-2019 10:35 AM

I'm setting up a 871 router

and my final config is not allowing client SFTP connections from the Internet. I think it has something to do with the way CBAC is configured. Don't totally understand how CBAC works, but wondering If I should ditch CBAC all together as I'm not sure if you can use it to inspect for connections coming into the network via the Internet...

Here's the config...I know I still need to clean up the management connections....

Current configuration : 5057 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXX
!
boot-start-marker
boot system flash:c870-advsecurityk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret XXXXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone UTC -8
!
crypto pki trustpoint TP-self-signed-2736937482
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736937482
revocation-check none
rsakeypair TP-self-signed-2736937482
!
!
crypto pki certificate chain TP-self-signed-2736937482
certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32373336 39333734 3832301E 170D3032 30333331 30323438
  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37333639
  33373438 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100920A 0FCE1707 3D8B3633 2E41A2F8 5C4C96AF 23A5AEC0 B0640659 F3AA845A
  6487015C 95538518 5C0F52F5 7D4889D9 ACD449DA EDDC4503 D4F76A71 C2BA2C3D
  BCF12AF9 7932A0AF 795299BC 154EDCAC C34A91B1 DA08CF93 018CC847 03F8924D
  7298EA7E CD683EBB CE53AFA3 8B88F1C7 979226B6 39B35A45 862C5E69 BEC67548
  F2A70203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
  551D1104 16301482 12496365 6C616E64 2E48616D 6D61722E 636F6D30 1F060355
  1D230418 30168014 BDCA25FD EB1B03D0 084BF15C 4BCA9D15 429E6A03 301D0603
  551D0E04 160414BD CA25FDEB 1B03D008 4BF15C4B CA9D1542 9E6A0330 0D06092A
  864886F7 0D010104 05000381 810077DF 511A537F 23856EE2 F0AD93DE 0C369010
  A51C8D16 45421549 4D61CFAC 6C9B57B2 F79E2B39 F5B3EA26 6160ED30 DE5334D9
  706C53C3 BB389DE8 9265166F D603C820 DF4BA265 606C5D98 D6C9B04B 76B8D8DE
  437E8BF4 2F38BBAF 3406C07E 9518CBE4 7AB24222 C33176B5 2490F824 C44F8252
  B4A65137 EF64781E DFF35164 3DA8
        quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool vlan1pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 216.146.35.35
!
!
ip cef
ip inspect name CBAC-IN-OUT tcp
ip inspect name CBAC-IN-OUT ftp
ip inspect name CBAC-IN-OUT ftps
ip inspect name CBAC-IN-OUT h323
ip inspect name CBAC-IN-OUT rcmd
ip inspect name CBAC-IN-OUT http
ip inspect name CBAC-IN-OUT netshow
ip inspect name CBAC-IN-OUT realaudio
ip inspect name CBAC-IN-OUT rtsp
ip inspect name CBAC-IN-OUT sqlnet
ip inspect name CBAC-IN-OUT streamworks
ip inspect name CBAC-IN-OUT tftp
ip inspect name CBAC-IN-OUT udp
ip inspect name CBAC-OUT-IN ftps
no ip bootp server
no ip domain lookup
ip domain name Hammar.com
ip name-server 4.2.2.2
ip name-server 4.2.2.1
!
!
!
!
!
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect CBAC-OUT-IN in
ip inspect CBAC-IN-OUT out
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
no ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 22 interface FastEthernet4 22
!

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any host 192.168.1.10 eq 22 log
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

Labels:
0 Helpful
2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

‎11-27-2010 10:36 PM

"ip inspect" is known to break what normally works without a problem.

You should remove it altogether, as it doen't really add any security whatsoever.

0 Helpful

DJCanuck1_2
Level 1
Level 1
In response to paolo bevilacqua

‎11-28-2010 10:25 PM

Well I've been reading different Cisco docs and came up with the following config, but

it still doesn't work....can anyone help?

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot system flash:c870-advsecurityk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$NzDd$1KifMMFZLFDsYaA8qUm8V1
!
no aaa new-model
clock timezone UTC -8
!
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool vlan1pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 216.146.35.35
!
!
ip cef
ip inspect name CBAC-IN-OUT tcp
ip inspect name CBAC-IN-OUT ftp
ip inspect name CBAC-IN-OUT ftps
ip inspect name CBAC-IN-OUT h323
ip inspect name CBAC-IN-OUT rcmd
ip inspect name CBAC-IN-OUT http
ip inspect name CBAC-IN-OUT netshow
ip inspect name CBAC-IN-OUT realaudio
ip inspect name CBAC-IN-OUT rtsp
ip inspect name CBAC-IN-OUT sqlnet
ip inspect name CBAC-IN-OUT streamworks
ip inspect name CBAC-IN-OUT tftp
ip inspect name CBAC-IN-OUT udp
ip inspect name CBAC-IN-OUT ssh
ip inspect name CBAC-OUT-IN ssh
no ip bootp server
no ip domain lookup
ip domain name Hammar.com
ip name-server 4.2.2.2
ip name-server 4.2.2.1
!
!
!
!
!
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect CBAC-OUT-IN in
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect CBAC-IN-OUT in
ip nat inside
no ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 22 interface FastEthernet4 22
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any host 192.168.1.10 eq 22 log
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
no login
!
scheduler max-task-time 5000
end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card