Solved: unable to ssh router 1921/K9

HoNhut88212 · ‎09-03-2020

Hi all,

Please help me to check my configuration on cisco router , I tried to setup ssh connection from outside link (interface Gi-0/0), but the network connect ERROR.

May be the issue come from NAT but i did not know how to fix it yet

My configuration is below

HAN-1921-R1(config)#do show run
Building configuration...

Current configuration : 2756 bytes
!
! Last configuration change at 07:43:43 UTC Thu Sep 3 2020 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HAN-1921-R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$Axjp$O.cvFO3PdtmiFhaM1PzPB1
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name R1.XXX.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn
license accept end user agreement
!
!
username admin privilege 15 secret 5 $1$uxvr$s1.pczVU2KX4n7PuaKa4f1
username abc password 7 070C285F4D06
!
redundancy
!
!
!
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description connect to WAN
no ip address
ip nat outside
no ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0.1
!
interface GigabitEthernet0/1
description LAN
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description WIFI
encapsulation dot1Q 2
ip address 172.16.0.1 255.255.254.0
ip access-group 120 in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
description IP-phone
encapsulation dot1Q 3
ip address 172.16.2.1 255.255.255.0
ip access-group 120 in
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1440
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXX password 7 03535F5B1459251E47
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 120 interface Dialer1 overload
ip nat inside source static tcp 172.16.0.11 4370 xxx.xxx.xxx.xxx 4370 extendable
ip nat inside source static tcp 172.16.0.10 8000 xxx.xxx.xxx.xxx 8000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
access-list 100 permit ip 172.16.0.0 0.0.1.255 any
access-list 101 permit ip 172.16.2.0 0.0.0.255 any
access-list 120 permit ip any any
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
no exec
transport input ssh
transport output none
!
scheduler allocate 20000 1000
!
end

HoNhut88212 · ‎09-04-2020

Dear all ,

I found exactly problem, it made me can not ssh to access router. Problem come from IOS like as link below

"

On IOS upgrade SSH/Telnet to router stops working if nat is configured

Symptom:
On IOS upgrade to 153-3.M2.bin & onwards, we cannot telnet/ssh the router where nat is configured.
Conditions:
This problem only exists if we have nat entry configured using ip which also exist on an interface, i.e
ip nat inside source static tcp
Workaround:
change the above statement to use interface instead of ip address, i.e

ip nat inside source static tcp interface

Further Problem Description:
As we can see in the output of 'show ip aliases' there is a dynamic alias for the Inside Global address. Till the version 152-4.M6 as you mentioned, you did not see the issue. This is because till that version the dynamic alias created due to the NAT rule 'ip nat inside source static tcp ' was removed, when the interface matching the Inside Global address went up.

From the version 15.3 we see that the dynamic alias for Inside Global is not removed even when the interface matching that address goes up. As a result, there is an interface as well as a dynamic alias for the address.

Link referal:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCup75103/?rfs=iqvred

View solution in original post

marce1000 · ‎09-03-2020

- What is the particular error you are getting ? Also review the this document, check if all configuration settings related to SSH are in place :

https://www.mustbegeek.com/enable-ssh-in-cisco-ios-router/#.X1Cw_Xkzbct

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

HoNhut88212 · ‎09-03-2020

i am using mRemoteNG & use SSH version 2 to connect router from outside. it showed : Network error . Connection refused

i am trying re-config on router but the same issue

HAN-1921-R1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 5

balaji.bandi · ‎09-03-2020

Couple of steps :

Generate RSA Key

(config)# crypto key generate rsa

line vty 0 4

login local

still not worksing post below output :

show version

show ip ssh

show run | in crypto

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

HoNhut88212 · ‎09-03-2020

Hi balaji.bandi

After enter login local & crypto key, still the same issue.

HNO-R1#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.3(3)M4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 24-Sep-14 06:25 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

HN-VNPT-R1 uptime is 6 hours, 48 minutes
System returned to ROM by reload at 05:04:29 UTC Thu Sep 3 2020
System image file is "usbflash0:c1900-universalk9-mz.SPA.153-3.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

HNO-R1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 5
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdQRQh9wIXRm3HlBM3OpMcTDkcUDhNdilpTxWyZ+8e
8P59TMSqNPJJpHAGbT9THSWw/SzBw9e2nrn53/Evwa936BbZOok7lvMzfFyGYJljaCPQaocTF/lA0P6d
0nHvNRMrSkP+Jj91JVXVLdPKENdiUS8FZf37z8aUw6Mb+pryODiC0rS7GLrw8I3y3q4pO1ckMwifGLnU
t4jnN5zGRJx/8ty8dqIHTZ0SlP+d5Ax4GykZR/DwuRXJ+/V+L/1kzNuLJ3jBScmDrmQ/MJw3vNqY4eJe
xIRxfl1M+TN8nGYq6dF2ry4YFS5KNw9EzssDPk2NtOhIB02y+KSpBC5NzGel

HNO-R1#show running-config | in crypto

HNO-R1#

- no information --

Richard Burts · ‎09-03-2020

Thanks for the output that shows very clearly that ssh is correctly enabled. I believe that your issue is related to the way that you have configured nat. I do not understand why you have 3 dynamic nat statements

ip nat inside source list 100 interface Dialer1 overload
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 120 interface Dialer1 overload

each of which has its own acl

access-list 100 permit ip 172.16.0.0 0.0.1.255 any
access-list 101 permit ip 172.16.2.0 0.0.0.255 any
access-list 120 permit ip any any

My first suggestion is to decide which one of these you want to use and to delete the other two (and I absolutely recommend that you not keep the one that uses acl 120).

After you decide which one you will keep I suggest that you change its acl. You are using an extended access list and I see no reason for needing an extended acl. A simple standard acl would work just as well (since you are not testing for any different destination address or testing for any protocol or port values).

I have seen problems with remote access which were caused by address translation which had a permit any for the destination address. I believe that this is your problem. Please reduce the configuration to a single dynamic address translation and change it to a standard acl and let us know if the behavior changes.

HTH

Rick

HoNhut88212 · ‎09-03-2020

Dear Richard Burts,

Actually, i used acl 120 to testing that why i can not access to router via SSH. before that i setup acl 100 for net work 172.16.0.0/23 & acl 101 for network 172.16.2.0 / 24.

HoNhut88212 · ‎09-04-2020

Dear all ,

I found exactly problem, it made me can not ssh to access router. Problem come from IOS like as link below

"

On IOS upgrade SSH/Telnet to router stops working if nat is configured

Symptom:
On IOS upgrade to 153-3.M2.bin & onwards, we cannot telnet/ssh the router where nat is configured.
Conditions:
This problem only exists if we have nat entry configured using ip which also exist on an interface, i.e
ip nat inside source static tcp
Workaround:
change the above statement to use interface instead of ip address, i.e

ip nat inside source static tcp interface

Further Problem Description:
As we can see in the output of 'show ip aliases' there is a dynamic alias for the Inside Global address. Till the version 152-4.M6 as you mentioned, you did not see the issue. This is because till that version the dynamic alias created due to the NAT rule 'ip nat inside source static tcp ' was removed, when the interface matching the Inside Global address went up.

From the version 15.3 we see that the dynamic alias for Inside Global is not removed even when the interface matching that address goes up. As a result, there is an interface as well as a dynamic alias for the address.

Link referal:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCup75103/?rfs=iqvred