Allow telnet, SSH, or HTTPS remote management on a Cisco 800 series using a Zone Based Firewall

I have recently installed some Cisco 877 routers at some of our branch offices, and wanted to allow remote management of these devices from the LAN at our central location over the VPN. With the Zone based firewall enabled there is no access allowed to the ‘Self’ zone from remote locations by default, as you would expect. This process is pretty straightforward when you are using Cisco PIX or ASA firewalls as you can use the management-access inside command, and then easily define which subnets you want to be able to access which remote management tools. There is no equivalent command when using an IOS router, so you need to configure the appropriate access list, class map, and policy map

In this example the site to site VPN is already configured as is the zone based firewall which was configured by SDM. The following subnets are defined for the LANs at each location:

192.168.1.0/24 – This is the head office LAN subnet which I want to allow access to the remote router over the VPN tunnel

192.168.2.0/24 – This is the branch office LAN subnet which is attached to the Cisco 877

The ip address of the 877 router at the branch office is:

192.168.2.254

Firstly, create an access list to define which services you want to allow access to, from the head office subnet:

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 22

This allows SSH access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq telnet

This allows telnet access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 443

This allows HTTPS access from the 192.168.1.0/24 subnet to the router

Next, create the following class maps:

router(config)# class-map type inspect match-any remote-manage

router(config-cmap)# match access-group name remote-manage

router(config)# class-map type inspect match-any router-access

router(config-cmap)# match class-map remote-manage

Finally, add this policy map

router(config)# policy-map type inspect sdm-permit

router(config-pmap)#class type inspect router-access

router(config-pmap-c)# inspect

You should now be able to telnet, SSH and use SDM to access the router from the head office subnet. If you need to allow any other subnets or hosts to access the router remotely simply add them to the access-list you created earlier. It could be that you want to allow SSH access to the external Internet facing IP of the router which you could do by adding the following (where X.X.X.X is the external IP of the router):

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp any host X.X.X.X eq 22

This would allow any Internet host to access the external IP of the router using SSH, although it would be preferable to lock this down to specific IP addresses or subnets that you already own.

Quick basic configuration of a Cisco ASA firewall for custom IP address and ASDM access

Here are a few quick commands to wipe a Cisco ASA series firewall, resetting it to factory defaults, and then enabling the device for an IP address on your own subnet rather than the default 192.168.1.0/24, as well as setting up ASDM and telnet and ssh access. This gives you a very basic configuration from which you can access the device. First connect to the device via the console port and run the following commands to wipe the device:

ciscoasa> enable

ciscoasa# conf t

ciscoasa(config)# configure factory-default

Once the device has loaded the default configuration, disable DHCP on the inside interface to prevent the device dishing out IP addresses. This may not be relevant in your environment but in ours DHCP is provided elsewhere:

ciscoasa(config)# no dhcpd enable inside

ciscoasa(config)# no dhcpd address 192.168.1.5-192.168.1.254 inside

Set the ip address for the inside LAN on interface vlan1 if this is the vlan you are using for the inside network:

ciscoasa(config)# int vlan1

ciscoasa(config-if)# ip address 10.0.0.1 255.255.255.0

ciscoasa(config-if)# exit

Enable the http server, and allow access from the inside subnet

ciscoasa(config)# http server enable

ciscoasa(config)# http 10.0.0.0 255.255.255.0 inside

Configure the local AAA authentication database and create a new user account to log in to ASDM with:

ciscoasa(config)# aaa authentication http console LOCAL

ciscoasa(config)# username oasysadmin password Pa55word

Enable telnet and/or ssh on the inside interface if required:

ciscoasa(config)# telnet 10.0.0.0 255.255.255.0 inside

ciscoasa(config)# ssh 10.0.0.0 255.255.255.0 inside

ciscoasa(config)# aaa authentication ssh console LOCAL

Set the enable password

ciscoasa(config)# enable password Pa55word

Save the configuration and reload

ciscoasa(config)# write mem

ciscoasa(config)# exit

ciscoasa# reload