Thank you for your reply. It takes a long time and display the error. I can't replicate the fault now (will try later) but I think it is timeout error.

There is a firewall and an ACL on the WAN interface.

Oh SSH from remotely used to work. It stopped working since (I think) we put in VDPN. I may be wrong.

Here is the config.

Is the PPP interface always up, or will it go down if there is not interesting traffic? It looks like you have a client VPN configuration on this router. Can you create a VPN tunnel to it? If so, can you SSH to the router after establishing the VPN?

Thank you jclarke,

- Yes the PPP interface is always up

- Yes I can create a VPN tunnel to the router

- Yes I can SSH to the router when I am in the VPN tunnel

Best regards,

Triet

It sounds like the SSH traffic may be filtered before it reaches this router. You might try creating another access-list that matches on your external source address. For example:

access-list 115 permit ip host x.x.x.x any

Where x.x.x.x is the IP address of the source which cannot connect to this router. Then run debug ip packet detail for this list:

debug ip packet detail 115

See if the SSH SYN is making it to the router at all.

To rule out NAT isn't causing this can you reconfigure your ACL like this and test.

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 100 deny tcp any any eq ssh

access-list 100 permit ip any any

HTH

Sundar