Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Nice little pitfall

Nice little pitfall 4 years 10 months ago #37575

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
I've been translating the config of a series of routers running IOS version 12.x to brand new ones running version 15.
Out of the cardboard box, the brand new routers seem to come with a sort of a default config which, among other things, contains the following.
First, the most generic interface on the unit (in my case Gi0/0) gets a helpful IP address so you can do a remote initial setup:
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.10.10.1 255.255.255.248
 duplex auto
 speed auto
Then, trying even harder to be helpful, cisco incluse an access-list to restrict access to the http server to the subnet they assigned to your interface:
access-list 23 permit 10.10.10.0 0.0.0.7
.....
ip http access-class 23
And finally, because they love being secure, they apply that access list to your virtual terminal lines as well:
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
So what, you may say. But if you're in a hurry to set your router up so you blast in the new IP address for Gi0/0, slap in the rest of your config, box it up and send it to Timbuktu because the courier will be here in fifteen minutes then you will come undone. When it gets there you'll find you can't access it remotely because that access list 23, which was so helpfully applied to both your http server and VTY lines remember, now bears no resemblance to any of the IP networks configured on your router...
You have been warned!
The administrator has disabled public write access.

Re: Nice little pitfall 4 years 10 months ago #37576

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
Oh yes ... thank you Cisco - don't you love it how 'secure' their routers are straight out of the 'box' ? :)

Pretty silly if you ask me - don't know why they do this, but definitely worth mentioning Alan!
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.
Time to create page: 0.074 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup