SSH extern

[sebastian.f 10]

Hallo,

 

habe hier einen 876w mit einem advip image. WLAN und ATM sind deaktiviert.

Hat eigentlich nur 2 VLANs auf Interface FE0 und FE4.

 

FE0 ist im VLAN 1 192.168.80.0/24

FE3 ist im VLAN 3 192.168.1.0/24

 

NAT zwischen den Netzen wobei VLAN3 das Outside IF ist.

 

Vom VLAN 1 kann ich per SSH auf den Router zugreifen von VLAN 3 nicht warum? Sehe glaub vor lauter Bäumen den Wald nicht mehr...

 

Konfig:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
aaa new-model
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2132275648
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2132275648
revocation-check none
rsakeypair TP-self-signed-2132275648
!
!
crypto pki certificate chain TP-self-signed-2132275648
certificate self-signed 01

 	quit
! 
!
!
dot11 ssid
  authentication open 
  authentication key-management wpa
  guest-mode
  wpa-psk ascii 
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.80.1 192.168.80.99
ip dhcp excluded-address 192.168.80.151 192.168.80.254
!
ip dhcp pool Pool1
  network 192.168.80.0 255.255.255.0
  domain-name
  dns-server 217.237.151.97 217.237.151.161 
  default-router 192.168.80.1 
!
!
no ip domain lookup
ip domain name 
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 7 
archive
log config
 hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no atm ilmi-keepalive
dsl operating-mode auto 
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
no cdp enable
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
switchport access vlan 3
!
interface Dot11Radio0
no ip address
shutdown
!
encryption mode ciphers aes-ccm 
!
ssid 
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
!
interface Vlan2
no ip address
!
interface Vlan3
description Extern
ip address 192.168.1.243 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface BVI1
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 192.168.1.10
ip route 0.0.0.0 0.0.0.0 192.168.1.10
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Vlan3 overload
!
access-list 101 permit ip any any
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 
no modem enable
line aux 0
line vty 0 4
access-class 101 in
password 7 
transport input ssh
!
scheduler max-task-time 5000

!
webvpn cef
end

[Wordo 11]

Nimm aus der VTY die ACL raus und mach beim der Source von ACL101 das interne Netz.

[sebastian.f 10]

Müsste ja dann so aussehen oder:

ip nat inside source list 101 interface Vlan1 overload

 

Das klappt aber nicht...

 

Access-Class vom vty hab ich entfernt.

[Wordo 11]

Falsch, VLAN3 bleibt, aber die ACL:

 

access-list 101 permit ip 192.168.80.0 0.0.0.255 any

[sebastian.f 10]

Oops falschrum gedacht das wars Thx!