Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1847
Views
0
Helpful
4
Replies

Unable to SSH from Outside

Go to solution
armartirosyan
Beginner
Beginner

‎03-15-2019 02:29 PM

Hello experts,

 

I am trying to setup ssh connection from outside link (interface Gi-0/0/0), but for some reason I am getting a SSH timeout message.

 

Troubleshooting done so far:

I can ping the ISR's public IP (X.X.X.39.166)

ISR can ping the SSH initiator's IP 

debug ip ssh does not show any connection attempts 

 

My configuration is below

 

hostname ISR4431
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
aaa new-model
aaa local authentication attempts max-fail 5
aaa local authentication default authorization default
!
!
aaa authentication attempts login 5
aaa authentication banner ^C
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities performed on this device are logged and monitor
^C
aaa authentication login default local
aaa authorization exec default local 
!
!
!
!
!
!
aaa session-id common
!
no ip bootp server
!
!
!
!
!
!
!
!
!
!
subscriber templating
! 
!         
! 
! 
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2936396334
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2936396334
 revocation-check none
 rsakeypair TP-self-signed-2936396334
!
!
crypto pki certificate chain TP-self-signed-2936396334
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32393336 33393633 3334301E 170D3139 30333133 31383533 
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39333633 
  39363333 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 
  0A028201 0100C362 0A3444C0 DFCAAC4D ABBABC6D BD65E3C3 4E208297 885BB69B 
  B5ABCF2F C11E6370 C75FE449 076B7E34 6DB0167D FF61B25F FA37DA18 DAB55528 
  D4ED1A48 E0418B3C 59D80400 21F54894 7F3F4B16 75790043 CB0024B0 DB2F4365 
  91631E81 9BB84A6E 31730B6E 0CAE407A 159BE1D6 22385F52 77FBFDAD B16764B6 
  C542C887 7B2CF2E4 677C32E4 2C80FBC8 1824456C E66FD1E2 048B0D12 115AACFF 
  4C487076 0C97CBFB C93EC3C4 F990F712 A5F7FD0B 530EDD21 1A32D09E 6384B3B7 
  8BB44E1E C2CF54D7 4D2A320E 5BC34E8B D4CE7644 19E15400 19F3B8A3 3A86AB60 
  18D08534 D4AB23D8 D1201C02 277B78A6 7495F0B7 9DAC13F4 9CFC9283 9556E5C8 
  50607CE4 8E470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 
  301F0603 551D2304 18301680 1446A008 B56F13C2 2FADADDF 0F99368B 04E0BDBC 
  FD301D06 03551D0E 04160414 46A008B5 6F13C22F ADADDF0F 99368B04 E0BDBCFD 
  300D0609 2A864886 F70D0101 05050003 82010100 4C0CC7FB 8B51CF28 650046C2 
  42CD326B FB4E8286 A4E92FB4 CBE6A5B4 64F6373B C4EBE919 730C025C 99E06F96 
  E3B824CD 89DD0C34 31B7FB39 E9853231 6625C600 A9A04AD7 40BBE631 E9919C48 
  ED07B440 B77D66EF D9456D9D 7B8573EF FE390CCF B971D286 BBC659FA EB2B6F92 
  9D453B07 987AE07E BBC9790A 15EB9498 1A3D855B 72F7A161 36264AC6 4CDEE563 
  EC84E8F6 5598020A 68EAC439 A820721F D65409A4 29466FFE DFEE6471 AE40B7B5 
  6345C260 5D44BF72 2FD8C778 4491716F CDEA57BB 420192FA 6D2F7F2C 2A82A13E 
  7BB672E6 8B4143E3 1D1B17FE 70733278 8EC1B3EC 20419339 7768DAD9 1616B39F 
  842A7EED 1E66CE07 535898F3 018020FE B909AC89
  	quit
!
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXX
!
redundancy
 mode none
!
!
!
!         
!
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
! 
! 
!
!
interface GigabitEthernet0/0/0
 ip address X.X.X.39.166 X.X.X.255.252
 ip nat outside
 ip access-group BLOCK_PING_ALLOW_ANY in
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address X.X.X.235.170 X.X.X.255.252
 speed 1000
 no negotiation auto
!
interface GigabitEthernet0/0/2
 description ASA-5516-Gi1/1
 ip address X.X.X.76.254 X.X.X.255.252
 ip nat inside
 ip policy route-map MERAKI
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
ip nat inside source list NAT_PERMIT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 X.X.X.39.165
ip route X.X.X.82.0 X.X.X.255.0 X.X.X.76.253
ip route X.X.X.25.0 X.X.X.255.0 X.X.X.76.253
ip route X.X.X.255.0 X.X.X.255.0 X.X.X.76.253
!         
ip ssh authentication-retries 5
ip ssh version 2
!
!
ip access-list standard ALLOW_SSH
 permit X.X.X.77.111
 permit X.X.X.77.48
 permit X.X.X.76.2
 permit X.X.X.76.1
 permit X.X.X.0.18
 permit X.X.X.39.162
ip access-list standard MERAKI_MGMT_GUEST
 permit X.X.X.25.0 0.0.0.255
 permit X.X.X.255.0 0.0.0.255
!
ip access-list extended BLOCK_PING_ALLOW_ANY
 permit icmp host X.X.X.39.162 any echo
 permit icmp host X.X.X.0.18 any echo
 permit icmp host X.X.X.76.1 any echo
 permit icmp host X.X.X.76.2 any echo
 permit icmp host X.X.X.77.48 any echo
 permit icmp host X.X.X.77.111 any echo
 deny   icmp any any echo
 permit ip any any
ip access-list extended NAT_PERMIT
 permit ip X.X.X.82.0 0.0.0.255 any
 permit ip X.X.X.83.0 0.0.0.255 any
 permit ip X.X.X.76.252 0.0.0.3 any
 permit ip X.X.X.255.0 0.0.0.255 any
 permit ip X.X.X.25.0 0.0.0.255 any
 permit ip any any
!
!
route-map MERAKI permit 10 
 match ip address MERAKI_MGMT_GUEST
 set ip next-hop X.X.X.39.165
!
route-map MERAKI permit 20 
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 5 0
 logging synchronous
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 transport input ssh
line vty 5 97
 exec-timeout 5 0
 transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

The strange thing I can ssh to router from local subnet. 

 

Please any help is greatly appreciated!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
VIP
VIP

‎03-15-2019 02:52 PM 

ip access-list extended NAT_PERMIT
 permit ip X.X.X.82.0 0.0.0.255 any
 permit ip X.X.X.83.0 0.0.0.255 any
 permit ip X.X.X.76.252 0.0.0.3 any
 permit ip X.X.X.255.0 0.0.0.255 any
 permit ip X.X.X.25.0 0.0.0.255 any
 permit ip any any    <---- This could be a culprit --- try remove this and test ?

 

Or you can try simple standard access list match only Internal IP to NAT rather univarsal ip any any for testing.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
VIP
VIP

‎03-15-2019 02:52 PM 

ip access-list extended NAT_PERMIT
 permit ip X.X.X.82.0 0.0.0.255 any
 permit ip X.X.X.83.0 0.0.0.255 any
 permit ip X.X.X.76.252 0.0.0.3 any
 permit ip X.X.X.255.0 0.0.0.255 any
 permit ip X.X.X.25.0 0.0.0.255 any
 permit ip any any    <---- This could be a culprit --- try remove this and test ?

 

Or you can try simple standard access list match only Internal IP to NAT rather univarsal ip any any for testing.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
armartirosyan
Beginner
Beginner
In response to balaji.bandi

‎03-15-2019 03:11 PM

You are a genious! 

 

Thank you very much!!!!

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to balaji.bandi

‎03-15-2019 03:53 PM

Hello @balaji.bandi ,

 

Could you, if possible, explain for me, why this cause his problem?

 

ip access-list extended NAT_PERMIT
 permit ip X.X.X.82.0 0.0.0.255 any
 permit ip X.X.X.83.0 0.0.0.255 any
 permit ip X.X.X.76.252 0.0.0.3 any
 permit ip X.X.X.255.0 0.0.0.255 any
 permit ip X.X.X.25.0 0.0.0.255 any
 permit ip any any    <---- This could be a culprit --- try remove this and test ?

 

I really really need know ^^ 

 

Thanks in advance.

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
luis_cordova
VIP
VIP

‎03-15-2019 03:21 PM

Hi @armartirosyan ,

 

I have noticed two things to review:

 

-In your interface outside you have applied this ACL, which only allows ICMP messages

interface GigabitEthernet0/0/0
 ip address X.X.X.39.166 X.X.X.255.252
 ip nat outside
 ip access-group BLOCK_PING_ALLOW_ANY in
 negotiation auto

 

ip access-list extended BLOCK_PING_ALLOW_ANY
 permit icmp host X.X.X.39.162 any echo
 permit icmp host X.X.X.0.18 any echo
 permit icmp host X.X.X.76.1 any echo
 permit icmp host X.X.X.76.2 any echo
 permit icmp host X.X.X.77.48 any echo
 permit icmp host X.X.X.77.111 any echo
 deny   icmp any any echo
 permit ip any any

--In your VTY lines I think you need this command:

login authentication default

 

Check that and let us know if it was useful.

 

Remember to mark the correct answers as solved, because that helps other users with similar doubts.

 

Regards

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents