Configurare accesso WAN SSH ad un Cisco 857

[mavelot]

Salve a tutti,

vorrei se possibile un aiuto per modificare una configurazione che ho realizzato all'80% con SDM per una alice res.
Ho un minimo di conoscenze di comandi ios, ma sinceramente non mi ero posto il problema di configurare regole di fw per consentire l'accesso in ssh/telnet da internet al router stesso, e non ho capito cosa modificare.
Un altra cosa che vorrei fare è rendere pingabile a fini diagnostici la dialer0 dal router stesso e/o da internet.

Questa è l'attuale conf depurata solo di pass e certificato che prendeva fin troppo spazio:

Codice: Seleziona tutto

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname Cisco857
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console informational
!
no aaa new-model
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-1084598882
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1084598882
 revocation-check none
 rsakeypair TP-self-signed-1084598882
!
!
crypto pki certificate chain TP-self-signed-1084598882
 certificate self-signed 01

---- omissis -----

        quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.63
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   domain-name miodominio
   dns-server 151.99.125.1 212.216.112.112
   lease 0 2
!
!
ip cef
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp router-traffic
ip inspect name SDM_HIGH udp
no ip bootp server
ip domain name miodominio.dnsalias.com
ip name-server 151.99.125.1
ip name-server 212.216.112.112
ip ddns update method sdm_ddns1
 HTTP
  add http://login:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://login:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
!
appfw policy-name SDM_HIGH
  application http
    strict-http action reset
!
!
!
username root privilege 15 password 7 XXXXX
username admin privilege 15 secret 5 XXXXX
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl bitswap both
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip ddns update hostname miodominio.dnsalias.com
 ip ddns update sdm_ddns1
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip inspect SDM_HIGH out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname cisco
 ppp chap password 7 121A0C041104
 ppp pap sent-username cisco password 7 094F471A1A0A
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 4662 interface Dialer0 4662
ip nat inside source static udp 10.10.10.2 4672 interface Dialer0 4672
ip nat inside source static tcp 10.10.10.2 5881 interface Dialer0 5881
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark Auto generated by SDM for NTP (123) 193.204.114.232
access-list 100 permit udp host 193.204.114.232 eq ntp host 10.10.10.1 eq ntp
access-list 100 remark Auto generated by SDM for NTP (123) 193.204.114.233
access-list 100 permit udp host 193.204.114.233 eq ntp host 10.10.10.1 eq ntp
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark uTorrent
access-list 101 permit tcp any any eq 5881
access-list 101 remark eMule UDP
access-list 101 permit udp any any eq 4672
access-list 101 remark eMule TCP
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp host 212.216.112.112 eq domain any
access-list 101 permit udp host 151.99.125.1 eq domain any
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.232
access-list 101 permit udp host 193.204.114.232 eq ntp any eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.233
access-list 101 permit udp host 193.204.114.233 eq ntp any eq ntp
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner exec ^CCC
% Password expiration warning.

---- omissis ----

^C
banner login ^CCC

---- omissis ----

^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 timeout login response 60
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
end

La versione dell' IOS è la 12.4(15)T11
Sono ben accetti anche altri suggerimenti per migliorare prestazioni e/o sicurezza

Grazie a tutti
Mav

[CiscoBGP]

Ciao

Beh devo dire che l'SDM da sempre il peggio di se quando si vuole configurare un Router!

Io non lo uso mai comunque posso darti alcune dritte

Tieni conto che devi raggiungere in SSH il nome del Router tramite DDNS altrimenti con IP dinamico non puoi farlo


1) Devi creare le chiavi SSH:

Router(config)#crypto key generate rsa

io metto sempre una chiave a 1024 bit

2) Inserisci il dominio del cliente e il nome del Router

Router(config)# ip domain-name pippo.it
Router(config)#hostname Routercliente

3) Devi dire che versione ssh utilizzare e impostare parametri di accesso SSH

Router(config)#ip ssh version 2
Router(config)#ip ssh authentication-retries 2
Router(config)#ip ssh tim-eout 60


4) togli l'access-list 23 che ti consente solo un accesso in locale da rete 10.10.10.0/248


5) sull'acl 101 inserisci il comando:

Router(config-acl)#permit tcp any any eq 22



Ovviamente personalizzalo in base alle tue esigenze

[mavelot]

Grazie mille.....appena tornerò a casa lo configuro...

In effetti ci stavo pensando che il problema era la ACL 23...

Cmq la mia configurazione già ha l'ssh attivo e i certificati generati. Li ho tagliati dal post per non occupare spazio.

Quindi mi basta solo cambiare la ACL giusto ?

[CiscoBGP]

Se hai fatto il resto si