CISCO 881 K9 - UNABLE TO SSH FROM OUTSIDE WORLD. ANYWAY LOCAL SSH FROM CONSOLE WORKS FINE

AMBARISHSINGH · ‎07-11-2020

Dear Team,

I am facing a very peculiar issue while configuring one of the CISCO 881 K9 ROUTER at a Site.

We have configured the ROUTER with basic configuration as mentioned below.

Please check what is wrong with the script below as post applying this configuration on the fresh ROUTER, we can locally connect a laptop using CONSOLE and get SSH on both LAN and WAN Port. Anyway when we attempt to reach to the WAN IP PORT using the ISP from the outside world, we do not get a SSH. When we do a TELNET from the outside world we just get a black pop-up screen with the message "SSH-2.0-Cisco-1.25" and we do not get the LOGIN PROMPT. Further SSH dies not happen from the outside world at all.

It has been many days we have been struggling and have not got any break through.

----------------------------------------------------------

service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
no service tcp-small-servers
no service udp-small-servers
no service dhcp
scheduler allocate 30000 1000
no service config
no boot host
no boot network
no logging console

hostname XXXX_NET_FW1

crypto key generate rsa general-keys label XXXX exportable modulus 2048

aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
aaa session-id common
aaa local authentication attempts max-fail 5

resource policy

no ip ssh version
ip ssh authentication-retries 3

username ADMIN privilege 15 secret 0 XXXXX

interface Fas4
ip address X.X.X.185 X.X.X.X
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no shut

interface Vlan1
ip address X.X.X.2 X,X,X.X
ip access-group Vlan1_inside_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360

ip route 0.0.0.0 0.0.0.0 X.X.X.X

line con 0
session-timeout 3
! no modem enable
transport preferred ssh
transport output all
exec-timeout 10 10

line vty 0 15
session-timeout 10
exec-timeout 10 10
transport preferred none
transport input ssh
transport output ssh
!

end
wr mem

------------------------------------------------------------

I have masked the IP addresses as it is secret.

Thanks & Regards

AS.....

balaji.bandi · ‎07-11-2020

some information missing here in the config :

especially NAT configuration and ACL -Vlan1_inside_ACL in

here is the example for reference :

https://community.cisco.com/t5/vpn/ssh-remote-access/td-p/2388055

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AMBARISHSINGH · ‎07-12-2020

Hi Balaji,

Thank you for prompt help.

Please suggest what you feel "some information missing here in the config"

especially NAT configuration and ACL -Vlan1_inside_ACL in

Please find the script actually used to configure the ROUTER.

Please find the actual script below:

---------------------------------------------------------------------

service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
no service tcp-small-servers
no service udp-small-servers
no service dhcp
scheduler allocate 30000 1000
no service config
no boot host
no boot network
no logging console

hostname XXXX_FW1

crypto key generate rsa general-keys label XXXXX exportable modulus 2048

aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
aaa session-id common
aaa local authentication attempts max-fail 5

resource policy

ip ssh version 2
ip ssh authentication-retries 3

username ADMIN privilege 15 secret 0 XXX

interface fas4
ip address X.X.X.X X.X.X.X.X
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no shut

interface Vlan1
ip address X.X.X.X X.X.X.X
ip access-group Vlan1_inside_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360

ip route 0.0.0.0 0.0.0.0 X.X.X.X

line con 0
session-timeout 3
! no modem enable
transport preferred ssh
transport output all
exec-timeout 10 10

line vty 0 15
session-timeout 10
exec-timeout 10 10
transport preferred none
transport input ssh
transport output ssh
!

end
wr mem

-------------------------------------------------------------

Thanks & Regards

Ambarish Singh

balaji.bandi · ‎07-12-2020

Still, your configuration does not cover NAT ( do you have NAT configured ?)

Also, i see you have configured "ip access-group Vlan1_inside_ACL in" but you have not posted relevant config to understand.

You would like to allow incoming SSH to router, if your environment NAT(it seems to be since you have inside and outside configuration done.

here is an example to allow :

ip nat inside source static tcp x.x.x.x 22 interface x/x  22

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AMBARISHSINGH · ‎07-12-2020

Hi Balaji,

Thank you once again for your prompt reply.

I shall try this on-site tomorrow with my team and revert back with our feedback.

We hope this works.

Thanks & Regards

Ambarish Singh

Richard Burts · ‎07-12-2020

Ambarish Singh

Thank you for the updated copy of the config. There are several possible issues with the config as already identified:

- you have ip nat inside and ip nat outside configured on interfaces but no commands to perform the nat.

- you are applying an access list to the vlan interface but the access list is not in the configuration posted.

Both of these should be addressed but I do not see that either of them would cause the issue with SSH. And I do not see any other obvious issues in the config that would impact SSH. We need to go a step at a time in investigating that issue. After review of the configuration I believe that the next step is to post the output of show ip ssh. Once we have that output we can determine what is the next step.

HTH

Rick

AMBARISHSINGH · ‎07-12-2020

Dear Richard,

Thank you for your valuable response. It means a lot.

We would do as directed and share you the results and our observations.

The strange point which I would like to share here is that we have successfully installed the same model and make of the ROUTER at multiple locations without any issues but only at this place we are observing this particular issue. Fururther the customer has proved that the ISP provided is fine as the customer tested the same ISP with another model of CISCO ROUTER and surprisingly the SSH worked fine on it from the outside world. This is a peculiar issue observed while working with this model of CISCO 881 K9 ROUTER at one site.

Thanks & Regards

Ambarish Singh

Richard Burts · ‎07-13-2020

Ambarish Singh

Thank you for the update. It is interesting that SSH works from the ISP when using a different router. So there is some issue about this router. It will be interesting when we are able to compare the script used for the router with the content of running config of the router and perhaps see where the script did not achieve the desired result.

As I said we need to take this a step at a time. The output of show ip ssh will be helpful. Also it might be helpful to see the output of show version from the router.

HTH

Rick

Richard Burts · ‎07-11-2020

I wonder about this command "no ip ssh version". Would you post the output of the command show ip ssh

HTH

Rick

AMBARISHSINGH · ‎07-12-2020

Hi Richard,

Thank you for your prompt reply and guidance.

Sorry for sharing the incorrect script. Please find the actual script below:

---------------------------------------------------------------------

service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
no service tcp-small-servers
no service udp-small-servers
no service dhcp
scheduler allocate 30000 1000
no service config
no boot host
no boot network
no logging console

hostname XXXX_FW1

crypto key generate rsa general-keys label XXXXX exportable modulus 2048

aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
aaa session-id common
aaa local authentication attempts max-fail 5

resource policy

ip ssh version 2
ip ssh authentication-retries 3

username ADMIN privilege 15 secret 0 XXX

interface fas4
ip address X.X.X.X X.X.X.X.X
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no shut

interface Vlan1
ip address X.X.X.X X.X.X.X
ip access-group Vlan1_inside_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360

ip route 0.0.0.0 0.0.0.0 X.X.X.X

line con 0
session-timeout 3
! no modem enable
transport preferred ssh
transport output all
exec-timeout 10 10

line vty 0 15
session-timeout 10
exec-timeout 10 10
transport preferred none
transport input ssh
transport output ssh
!

end
wr mem

-------------------------------------------------------------

As suggested, once we are at the site we will share with you the output of the command

"show ip ssh"

Thanks again for your help.

Thanks & Regards

Ambarish Singh