Solved: Re: Can't SSH into Cisco 891 from outside - Page 2

ermitgilsukaru · ‎07-14-2022

Hi.

I haven't touched Cisco IOS devices in a few years, so maybe I'm just rusty. Anyway, a customer of ours has a Cisco 891 router on-site which I need to be able to manage remotely. I can

SSH

into it from the inside but not from the outside.

The WAN connection is a GPON fiber with PPPoE, so the logical outside interface is Dialer1, defined like this:

interface Dialer1
  mtu 1492
  ip address negotiated
  ip access-group WAN-to-inside in
  ip nat outside
  ip inspect INS-OUT out
  ip virtual-reassembly in
  encapsulation ppp
  ip tcp adjust-mss 1260
  dialer pool 1
  dialer idle-timeout 0
  dialer persistent
  dialer-group 1
  ppp authentication pap callin
  ppp chap refuse
  ppp pap sent-username xxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx

Here are the NAT definitions:

ip nat inside source list Internet interface Dialer1 overload
ip nat inside source static tcp 192.168.192.47 3389 [router_public_ip] 3389 extendable
ip nat inside source static tcp 192.168.192.21 3389 [router_public_ip] 3390 extendable
ip nat inside source static tcp 192.168.192.43 3389 [router_public_ip] 3391 extendable
ip nat inside source static tcp 192.168.192.114 3389 [router_public_ip] 3392 extendable
ip nat inside source static tcp 192.168.192.50 3389 [router_public_ip] 3393 extendable

(I know that NATting RDP out onto the internet is a horrible idea, that is one of the reasons that I need to be able to remote manage it, so that I can set up a proper VPN instead of this huge security hole)

Here is the "Internet" access-list that NAT overload statement references:

ip access-list extended Internet
  permit ip 192.168.192.0 0.0.0.255 any
  deny ip any any

And here is the "WAN-to-inside" access-list that is applied to Dialer1:

ip access-list extended WAN-to-inside
  permit tcp any any established
  permit ip host [ip_address_1] any
  permit ip host [ip_address_2] any
  permit ip [ISP_management_subnet] 0.0.0.255 any
  permit ip host [ip_address_3] any
  permit ip host [ip_address_4] any
  permit ip host [ip_address_5] any
  permit ip host [ip_address_6] any
  permit ip host [ip_address_7] any
  permit ip host [ip_address_8] any
  permit ip host [our_remote_mgmt_jumphost] any
  permit ip host [my_home_ip_for_testing] any

And here are the vty definitions:

line vty 0 4
  login local
  transport input ssh
line vty 5 191
  login local
  transport input ssh

When I try to

SSH

into the public IP address of this router from our jumphost ("permit ip host [our_remote_mgmt_jumphost] any" in WAN-to-inside) I just get connection refused. However, I can establish connections to ports 3389-3393. Also, the hitcount on the line in WAN-to-inside for the jumphost increments each time I try to open a

SSH

connection, so the access-list rules are obviously working as intended. I can also

SSH

from inside, so

SSH

configuration itself seems to be working.

Does anybody have any idea what could be going on?

MHM Cisco World · ‎07-14-2022

You are so welcome friend.

ermitgilsukaru · ‎07-14-2022

Thanks for the help MHM! I don't really like creating unnecessary loopback interfaces, so I'll see if I can get it working without the loopback interface later. I'm pretty sure that the line

permit tcp any any established

in WAN-to-inside isn't the problem because I added the line while I was investigating the

SSH

problem. I'll try disabling the access-list some evening soon, don't want to make too drastic changes to the config during business hours.

MHM Cisco World · ‎07-14-2022

I will make small lab and update you

MHM Cisco World · ‎07-14-2022

so I check again make small lab and as I mention above the dialer interface ask IP each time so the IP change. this make SSH to public ip in some time not work.
so next time without config Loopback check if you can SSH to router.
if you can not access
go to router and do
show ip interface brief
check the dialer interface get IP from ISP or not.