03-15-2019 02:29 PM
Hello experts,
I am trying to setup ssh connection from outside link (interface Gi-0/0/0), but for some reason I am getting a SSH timeout message.
Troubleshooting done so far:
I can ping the ISR's public IP (X.X.X.39.166)
ISR can ping the SSH initiator's IP
debug ip ssh does not show any connection attempts
My configuration is below
hostname ISR4431 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! aaa new-model aaa local authentication attempts max-fail 5 aaa local authentication default authorization default ! ! aaa authentication attempts login 5 aaa authentication banner ^C UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit, authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities performed on this device are logged and monitor ^C aaa authentication login default local aaa authorization exec default local ! ! ! ! ! ! aaa session-id common ! no ip bootp server ! ! ! ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! ! crypto pki trustpoint TP-self-signed-2936396334 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2936396334 revocation-check none rsakeypair TP-self-signed-2936396334 ! ! crypto pki certificate chain TP-self-signed-2936396334 certificate self-signed 01 30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32393336 33393633 3334301E 170D3139 30333133 31383533 34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39333633 39363333 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201 0100C362 0A3444C0 DFCAAC4D ABBABC6D BD65E3C3 4E208297 885BB69B B5ABCF2F C11E6370 C75FE449 076B7E34 6DB0167D FF61B25F FA37DA18 DAB55528 D4ED1A48 E0418B3C 59D80400 21F54894 7F3F4B16 75790043 CB0024B0 DB2F4365 91631E81 9BB84A6E 31730B6E 0CAE407A 159BE1D6 22385F52 77FBFDAD B16764B6 C542C887 7B2CF2E4 677C32E4 2C80FBC8 1824456C E66FD1E2 048B0D12 115AACFF 4C487076 0C97CBFB C93EC3C4 F990F712 A5F7FD0B 530EDD21 1A32D09E 6384B3B7 8BB44E1E C2CF54D7 4D2A320E 5BC34E8B D4CE7644 19E15400 19F3B8A3 3A86AB60 18D08534 D4AB23D8 D1201C02 277B78A6 7495F0B7 9DAC13F4 9CFC9283 9556E5C8 50607CE4 8E470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 1446A008 B56F13C2 2FADADDF 0F99368B 04E0BDBC FD301D06 03551D0E 04160414 46A008B5 6F13C22F ADADDF0F 99368B04 E0BDBCFD 300D0609 2A864886 F70D0101 05050003 82010100 4C0CC7FB 8B51CF28 650046C2 42CD326B FB4E8286 A4E92FB4 CBE6A5B4 64F6373B C4EBE919 730C025C 99E06F96 E3B824CD 89DD0C34 31B7FB39 E9853231 6625C600 A9A04AD7 40BBE631 E9919C48 ED07B440 B77D66EF D9456D9D 7B8573EF FE390CCF B971D286 BBC659FA EB2B6F92 9D453B07 987AE07E BBC9790A 15EB9498 1A3D855B 72F7A161 36264AC6 4CDEE563 EC84E8F6 5598020A 68EAC439 A820721F D65409A4 29466FFE DFEE6471 AE40B7B5 6345C260 5D44BF72 2FD8C778 4491716F CDEA57BB 420192FA 6D2F7F2C 2A82A13E 7BB672E6 8B4143E3 1D1B17FE 70733278 8EC1B3EC 20419339 7768DAD9 1616B39F 842A7EED 1E66CE07 535898F3 018020FE B909AC89 quit ! ! diagnostic bootup level minimal spanning-tree extend system-id ! ! ! username admin privilege 15 secret 5 XXXXXXXXXXXXXXX ! redundancy mode none ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 ip address X.X.X.39.166 X.X.X.255.252 ip nat outside ip access-group BLOCK_PING_ALLOW_ANY in negotiation auto ! interface GigabitEthernet0/0/1 ip address X.X.X.235.170 X.X.X.255.252 speed 1000 no negotiation auto ! interface GigabitEthernet0/0/2 description ASA-5516-Gi1/1 ip address X.X.X.76.254 X.X.X.255.252 ip nat inside ip policy route-map MERAKI negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ip nat inside source list NAT_PERMIT interface GigabitEthernet0/0/0 overload ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ip tftp source-interface GigabitEthernet0 ip route 0.0.0.0 0.0.0.0 X.X.X.39.165 ip route X.X.X.82.0 X.X.X.255.0 X.X.X.76.253 ip route X.X.X.25.0 X.X.X.255.0 X.X.X.76.253 ip route X.X.X.255.0 X.X.X.255.0 X.X.X.76.253 ! ip ssh authentication-retries 5 ip ssh version 2 ! ! ip access-list standard ALLOW_SSH permit X.X.X.77.111 permit X.X.X.77.48 permit X.X.X.76.2 permit X.X.X.76.1 permit X.X.X.0.18 permit X.X.X.39.162 ip access-list standard MERAKI_MGMT_GUEST permit X.X.X.25.0 0.0.0.255 permit X.X.X.255.0 0.0.0.255 ! ip access-list extended BLOCK_PING_ALLOW_ANY permit icmp host X.X.X.39.162 any echo permit icmp host X.X.X.0.18 any echo permit icmp host X.X.X.76.1 any echo permit icmp host X.X.X.76.2 any echo permit icmp host X.X.X.77.48 any echo permit icmp host X.X.X.77.111 any echo deny icmp any any echo permit ip any any ip access-list extended NAT_PERMIT permit ip X.X.X.82.0 0.0.0.255 any permit ip X.X.X.83.0 0.0.0.255 any permit ip X.X.X.76.252 0.0.0.3 any permit ip X.X.X.255.0 0.0.0.255 any permit ip X.X.X.25.0 0.0.0.255 any permit ip any any ! ! route-map MERAKI permit 10 match ip address MERAKI_MGMT_GUEST set ip next-hop X.X.X.39.165 ! route-map MERAKI permit 20 ! ! ! ! ! control-plane ! ! line con 0 exec-timeout 5 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 5 0 transport input ssh line vty 5 97 exec-timeout 5 0 transport input ssh ! wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end
The strange thing I can ssh to router from local subnet.
Please any help is greatly appreciated!!
Solved! Go to Solution.
03-15-2019 02:52 PM
ip access-list extended NAT_PERMIT permit ip X.X.X.82.0 0.0.0.255 any permit ip X.X.X.83.0 0.0.0.255 any permit ip X.X.X.76.252 0.0.0.3 any permit ip X.X.X.255.0 0.0.0.255 any permit ip X.X.X.25.0 0.0.0.255 any permit ip any any <---- This could be a culprit --- try remove this and test ?
Or you can try simple standard access list match only Internal IP to NAT rather univarsal ip any any for testing.
03-15-2019 02:52 PM
ip access-list extended NAT_PERMIT permit ip X.X.X.82.0 0.0.0.255 any permit ip X.X.X.83.0 0.0.0.255 any permit ip X.X.X.76.252 0.0.0.3 any permit ip X.X.X.255.0 0.0.0.255 any permit ip X.X.X.25.0 0.0.0.255 any permit ip any any <---- This could be a culprit --- try remove this and test ?
Or you can try simple standard access list match only Internal IP to NAT rather univarsal ip any any for testing.
03-15-2019 03:11 PM
You are a genious!
Thank you very much!!!!
03-15-2019 03:53 PM
Hello @balaji.bandi ,
Could you, if possible, explain for me, why this cause his problem?
ip access-list extended NAT_PERMIT permit ip X.X.X.82.0 0.0.0.255 any permit ip X.X.X.83.0 0.0.0.255 any permit ip X.X.X.76.252 0.0.0.3 any permit ip X.X.X.255.0 0.0.0.255 any permit ip X.X.X.25.0 0.0.0.255 any permit ip any any <---- This could be a culprit --- try remove this and test ?
I really really need know ^^
Thanks in advance.
03-15-2019 03:21 PM
Hi @armartirosyan ,
I have noticed two things to review:
-In your interface outside you have applied this ACL, which only allows ICMP messages
interface GigabitEthernet0/0/0 ip address X.X.X.39.166 X.X.X.255.252 ip nat outside ip access-group BLOCK_PING_ALLOW_ANY in negotiation auto
ip access-list extended BLOCK_PING_ALLOW_ANY permit icmp host X.X.X.39.162 any echo permit icmp host X.X.X.0.18 any echo permit icmp host X.X.X.76.1 any echo permit icmp host X.X.X.76.2 any echo permit icmp host X.X.X.77.48 any echo permit icmp host X.X.X.77.111 any echo deny icmp any any echo permit ip any any
--In your VTY lines I think you need this command:
login authentication default
Check that and let us know if it was useful.
Remember to mark the correct answers as solved, because that helps other users with similar doubts.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: