Cisco 887VA Cannot SSH From WAN And DNS Problem

Yair — Tue, 05 Jul 2022 19:58:31 GMT

Hello,

I have 887va that's connected and working but for some reason, i cannot ssh to cisco from wan

I have access-class match in on vty 0 4

the access-list allowing ssh to cisco from lan subnet and remote static ip

but i when i try to ssh i have timeout

also if i set up cisco as DNS server

ip dns-server

ip name-server 8.8.8.8

ip name-server 8.8.4.4

under dhcp pool

ip dns-server 172.20.30.1

then i don't have any dns translation from cisco its self or clients on lan any advice?

for now, i removed from dhcp pool ip dns-server 172.20.30.1

and added ip dns-server 8.8.8.8 8.8.4.4

posting my config

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 9 SOME PASSWORD
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 3 0
!
!
!
!
!
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 172.20.30.2 172.20.30.99
ip dhcp excluded-address 172.20.30.1
ip dhcp excluded-address 172.20.30.100
ip dhcp excluded-address 172.20.30.101
!
ip dhcp pool HOME-LAN
import all
network 172.20.30.0 255.255.255.0
default-router 172.20.30.1
dns-server 8.8.8.8 8.8.4.4
lease 0 0 5
update arp
!
!
!
no ip bootp server
ip domain name cisco.local
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VW-GNE-K9 sn xxxxxxxxxxxxxx
license accept end user agreement
license boot module c880-data level advsecurity
!
!
username SOMEUSER privilege 15 secret 9 SOME PASSWORD
!
!
!
!
!
controller VDSL 0
no cdp run
!
ip tcp synwait-time 10
!
class-map type inspect match-all firewall-invalid-src
match access-group 100
class-map type inspect match-any firewall-cls-insp-traffic
match protocol tcp
match protocol udp
match protocol icmp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-any firewall-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-any firewall-skinny-inspect
match protocol skinny
class-map type inspect match-all firewall-icmp-access
match class-map firewall-cls-icmp-access
class-map type inspect match-all firewall-insp-traffic
match class-map firewall-cls-insp-traffic
!
policy-map type inspect firewall-permit
class class-default
drop
policy-map type inspect firewall-permit-icmpreply
class type inspect firewall-icmp-access
inspect
class class-default
pass
policy-map type inspect firewall-inspect
class type inspect firewall-invalid-src
drop log
class type inspect firewall-insp-traffic
inspect
class type inspect firewall-skinny-inspect
inspect
class class-default
drop
policy-map rate_3Mbps
class class-default
police cir 3000000
conform-action transmit
exceed-action drop
policy-map rate_30Mbps
class class-default
police cir 30000000
conform-action transmit
exceed-action drop
!
zone security in-zone
zone security out-zone
zone-pair security firewall-zp-self-out source self destination out-zone
zone-pair security firewall-zp-in-out source in-zone destination out-zone
service-policy type inspect firewall-inspect
zone-pair security firewall-zp-out-self source out-zone destination self
service-policy type inspect firewall-permit
!
interface Null0
no ip unreachables
!
interface Ethernet0
description WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
ip flow ingress
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
switchport access vlan 20
no ip address
!
interface FastEthernet1
switchport access vlan 20
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 20
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.1.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Vlan20
description FW_INSIDE
ip address 172.20.30.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description FW_OUTSIDE
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username USER@ISP password 7 ISP-PASSWORD
ppp ipcp address accept
service-policy input rate_30Mbps
service-policy output rate_3Mbps
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip nat service sip udp port 5060
ip nat inside source list NAT_TRAFFIC interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended MANAGEMENT
permit ip 172.20.30.0 0.0.0.255 any
permit ip host X.X.X.X any
ip access-list extended NAT_TRAFFIC
permit ip 172.20.30.0 0.0.0.255 any
!
logging trap debugging
!
!
!
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class MANAGEMENT in
privilege level 15
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp master
ntp update-calendar
ntp server 192.114.62.250 prefer source Dialer0
!
end

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem

balaji.bandi — Tue, 05 Jul 2022 20:07:41 GMT

we are not sure why you like to ssh to cisco? any specific reason?

1. if you try from the router, what IP or what command are you using to ssh? what is the error?

2. same work for PC connected to the LAN?

3. what DNS error ?

from the PC connected LAN, everything working?

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem

Yair — Tue, 05 Jul 2022 20:36:33 GMT

Thanks for the replay

from lan i can connect to ssh no problem here

from wan i cannot connect to ssh whit an error timeout on putty or any other ssh client

as for DNS, there is no error that I can see it's just not working

I can ping from cisco to 8.8.8.8

but cannot ping to google.com

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem

Rob Ingram — Tue, 05 Jul 2022 21:14:57 GMT

@Yair you need to permit the communication in your outside to self zone pair firewall-zp-out-self.

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem

Yair — Tue, 05 Jul 2022 21:19:00 GMT

ok what syntax? im new to ZBFW

its for ssh from remote or for dns serve to work?

topic Re: Cisco 887VA Cannot SSH From WAN And DNS Problem in Network Security

Cisco 887VA Cannot SSH From WAN And DNS Problem

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem

Re: Cisco 887VA Cannot SSH From WAN And DNS Problem