07-14-2022 05:06 AM - last edited on 07-14-2022 10:37 AM by Translator
Hi.
I haven't touched Cisco IOS devices in a few years, so maybe I'm just rusty. Anyway, a customer of ours has a Cisco 891 router on-site which I need to be able to manage remotely. I can
SSH
into it from the inside but not from the outside.
The WAN connection is a GPON fiber with PPPoE, so the logical outside interface is Dialer1, defined like this:
interface Dialer1
mtu 1492
ip address negotiated
ip access-group WAN-to-inside in
ip nat outside
ip inspect INS-OUT out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1260
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx
Here are the NAT definitions:
ip nat inside source list Internet interface Dialer1 overload
ip nat inside source static tcp 192.168.192.47 3389 [router_public_ip] 3389 extendable
ip nat inside source static tcp 192.168.192.21 3389 [router_public_ip] 3390 extendable
ip nat inside source static tcp 192.168.192.43 3389 [router_public_ip] 3391 extendable
ip nat inside source static tcp 192.168.192.114 3389 [router_public_ip] 3392 extendable
ip nat inside source static tcp 192.168.192.50 3389 [router_public_ip] 3393 extendable
(I know that NATting RDP out onto the internet is a horrible idea, that is one of the reasons that I need to be able to remote manage it, so that I can set up a proper VPN instead of this huge security hole)
Here is the "Internet" access-list that NAT overload statement references:
ip access-list extended Internet
permit ip 192.168.192.0 0.0.0.255 any
deny ip any any
And here is the "WAN-to-inside" access-list that is applied to Dialer1:
ip access-list extended WAN-to-inside
permit tcp any any established
permit ip host [ip_address_1] any
permit ip host [ip_address_2] any
permit ip [ISP_management_subnet] 0.0.0.255 any
permit ip host [ip_address_3] any
permit ip host [ip_address_4] any
permit ip host [ip_address_5] any
permit ip host [ip_address_6] any
permit ip host [ip_address_7] any
permit ip host [ip_address_8] any
permit ip host [our_remote_mgmt_jumphost] any
permit ip host [my_home_ip_for_testing] any
And here are the vty definitions:
line vty 0 4
login local
transport input ssh
line vty 5 191
login local
transport input ssh
When I try to
SSH
into the public IP address of this router from our jumphost ("permit ip host [our_remote_mgmt_jumphost] any" in WAN-to-inside) I just get connection refused. However, I can establish connections to ports 3389-3393. Also, the hitcount on the line in WAN-to-inside for the jumphost increments each time I try to open a
SSH
connection, so the access-list rules are obviously working as intended. I can also
SSH
from inside, so
SSH
configuration itself seems to be working.
Does anybody have any idea what could be going on?
Solved! Go to Solution.
07-14-2022 07:13 AM - last edited on 07-14-2022 10:27 AM by Translator
not the public ip the ip use you for
SSH
if you config
SSH
to use specific IP like Loopback of router then you need NAT.
07-14-2022 05:45 AM - last edited on 07-14-2022 10:16 AM by Translator
you
config Static route public IP
BUT here the dialer interface get IP from DHCP and it may be not same IP you enter in static NAT.
07-14-2022 06:37 AM
check the IP you got from provider using DHCP and ACL matches ?
from ISP you always get same IP if the Router reboot ?
07-14-2022 06:48 AM
Yes, the router always gets the same IP (we're lucky in my country to have an abundance of IPv4 addresses, so "dynamic" WAN addresses usually never change). I know that the public IP address has been consistent because employees at the customer company tell me they have been using the RDP NATs once in a while for a long while.
07-14-2022 06:53 AM - last edited on 07-14-2022 10:18 AM by Translator
Then run the
debug, test incoming traffic
you see on router before it go end device ?
07-14-2022 06:55 AM - last edited on 07-14-2022 10:21 AM by Translator
Hmm.. I don't quite understand what you mean by end device here? I'm trying to
SSH
into the router itself
07-14-2022 07:36 AM - last edited on 07-14-2022 10:22 AM by Translator
I mean to say the device having IP address that you try to
SSH
(in your case Router).
07-14-2022 07:39 AM
Ok, thank you for the clarification. Although it's a moot point now since the issue is fixed now by using a loopback interface.
07-14-2022 06:54 AM - last edited on 07-14-2022 10:23 AM by Translator
now if you sure the IP is same,
you need NAT for
SSH port
which is 22
07-14-2022 06:59 AM - last edited on 07-14-2022 10:23 AM by Translator
if you not use known L4 port then you need to add port you use to
SSH
command. and then test again
07-14-2022 07:08 AM
Wait, really? I would have thought traffic that's supposed to terminate on the outside interface of the router itself wouldn't be NATted?
How should I configure this NAT rule? Like this?
ip nat inside source static tcp [router_public_IP] 22 [router_public_IP] 22 extendable
07-14-2022 07:13 AM - last edited on 07-14-2022 10:27 AM by Translator
not the public ip the ip use you for
SSH
if you config
SSH
to use specific IP like Loopback of router then you need NAT.
07-14-2022 07:19 AM - last edited on 07-14-2022 10:28 AM by Translator
So I can't
SSH
directly into the public IP when the router is on DHCP? (like I said, I haven't touched IOS in a few years so I'm getting pretty rusty)
07-14-2022 07:27 AM - last edited on 07-14-2022 10:32 AM by Translator
no you can use the public IP via DHCP as I know (and to be sure I will make small lab for you)
another issue
ACL with
established
keyword you add to TCP ACL line,
the issue that this work make the router refuse the TCP SYN packet.
I know you config it for security reason but can you remove it
SSH
to router if success then this is issue here if not then return it back and as I mention I will do lab and check DHCP and
SSH
""The
established
keyword is used to indicate an established connection for tcp. An established connection can be considered as the tcp traffic originating inside your network, not from an external network.
This means that the packets belong to an existing connection if the tcp segment has the Acknowledgment (ACK) or Reset (RST) bit set.""
07-14-2022 07:29 AM
I just created a loopback interface and NATted port 22 to that and it worked!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide