Hi. I have a Netvanta 1335, and I've got it configured to provide bridging between the big internet and my local network. I have a /26 allocated, and I wish to provide unfiltered access (that is, no firewall, with users behind the Netvanta having public IP addresses,) ideally NOT by natting from (for example) 67.1.2.3 > 10.10.10.40, but rather letting user Joe actually assign a static IPv4 address of 67.1.2.3.
I have therefore *disabled* the firewall feature in the Netvanta 1335. However, now the router's IP address and the GUI are both accessable at a public IP address. I would ideally like to be able to telnet and access the GUI ONLY from devices that are attached on the "inside" (my private LAN, connected to Switchport ETH 0/2 or something like that.)
I dont' have any ACLS or ALGs set up. I do understand there are probably several ways to do this, but I'm not really sure how to evaluate the different methods (eg, one way would be to firewall everything off, but specifically open bi-drectional access to 67.1.2.3, 67.1.2.4, etc) - That is in fact how I've done this on the "little" Adtran 2054 I have on my home LAN, but the 1335 seems quite different)
I know just enough about AOS to be dangerous to myself and my client (that is, I am a geek but I know nothing about how to do this!)
Can anybody help? Thanks in advance!
Here's how I would do it - syntax may vary slightly depending on whether your AOS supports IPv6.
ip access-list standard admin-access
permit 67.1.2.0 0.0.0.63
http ip access-class admin-access in
http ip secure-access-class admin-access in
line telnet 0 4
ip access-class admin-access in
line ssh 0 4
ip access-class admin-access in
snmp-server community itsasecret ro ip access-class admin-access
Best to do this from the console in case you lock yourself out with a typo.
Here's how I would do it - syntax may vary slightly depending on whether your AOS supports IPv6.
ip access-list standard admin-access
permit 67.1.2.0 0.0.0.63
http ip access-class admin-access in
http ip secure-access-class admin-access in
line telnet 0 4
ip access-class admin-access in
line ssh 0 4
ip access-class admin-access in
snmp-server community itsasecret ro ip access-class admin-access
Best to do this from the console in case you lock yourself out with a typo.
Wow, thanks for the reply!
Quick question (I will post on the board too, but I have to log in to
do that..)
What do these commands in your script do? What does "0 4" refer to?
line telnet 0 4
ip access-class admin-access in
line ssh 0 4
ip access-class admin-access in
Thanks!
/Larry Honig
Quoting jayh <adtran@adtran.hosted.jivesoftware.com>:
"How can I restrict access to GUI to local users only?"
To view the discussion, visit:
https://supportforums.adtran.com/message/9098#9098
>
mr.duck wrote:
What do these commands in your script do? What does "0 4" refer to?
line telnet 0 4
ip access-class admin-access in
line ssh 0 4
ip access-class admin-access in
Telnet and SSH are standard and encrypted means to log in to the unit via command-line, respectively. Each method supports up to five simultaneous login sessions numbered 0 through 4. (Real hackers start counting with 0.) These commands limit the access to the command line interface to the addresses in the ACL.
Heh. I do know about 0-base indices, ssh and telnet. I did not know
about the 5 session limit, nor that you could control individual
sessions per protocol. Thank you!
Quoting jayh <adtran@adtran.hosted.jivesoftware.com>:
"How can I restrict access to GUI to local users only?"
To view the discussion, visit:
https://supportforums.adtran.com/message/9099#9099
>
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor