Solved: Can't SSH into Cisco 891 from outside

ermitgilsukaru · ‎07-14-2022

Hi.

I haven't touched Cisco IOS devices in a few years, so maybe I'm just rusty. Anyway, a customer of ours has a Cisco 891 router on-site which I need to be able to manage remotely. I can

SSH

into it from the inside but not from the outside.

The WAN connection is a GPON fiber with PPPoE, so the logical outside interface is Dialer1, defined like this:

interface Dialer1
  mtu 1492
  ip address negotiated
  ip access-group WAN-to-inside in
  ip nat outside
  ip inspect INS-OUT out
  ip virtual-reassembly in
  encapsulation ppp
  ip tcp adjust-mss 1260
  dialer pool 1
  dialer idle-timeout 0
  dialer persistent
  dialer-group 1
  ppp authentication pap callin
  ppp chap refuse
  ppp pap sent-username xxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx

Here are the NAT definitions:

ip nat inside source list Internet interface Dialer1 overload
ip nat inside source static tcp 192.168.192.47 3389 [router_public_ip] 3389 extendable
ip nat inside source static tcp 192.168.192.21 3389 [router_public_ip] 3390 extendable
ip nat inside source static tcp 192.168.192.43 3389 [router_public_ip] 3391 extendable
ip nat inside source static tcp 192.168.192.114 3389 [router_public_ip] 3392 extendable
ip nat inside source static tcp 192.168.192.50 3389 [router_public_ip] 3393 extendable

(I know that NATting RDP out onto the internet is a horrible idea, that is one of the reasons that I need to be able to remote manage it, so that I can set up a proper VPN instead of this huge security hole)

Here is the "Internet" access-list that NAT overload statement references:

ip access-list extended Internet
  permit ip 192.168.192.0 0.0.0.255 any
  deny ip any any

And here is the "WAN-to-inside" access-list that is applied to Dialer1:

ip access-list extended WAN-to-inside
  permit tcp any any established
  permit ip host [ip_address_1] any
  permit ip host [ip_address_2] any
  permit ip [ISP_management_subnet] 0.0.0.255 any
  permit ip host [ip_address_3] any
  permit ip host [ip_address_4] any
  permit ip host [ip_address_5] any
  permit ip host [ip_address_6] any
  permit ip host [ip_address_7] any
  permit ip host [ip_address_8] any
  permit ip host [our_remote_mgmt_jumphost] any
  permit ip host [my_home_ip_for_testing] any

And here are the vty definitions:

line vty 0 4
  login local
  transport input ssh
line vty 5 191
  login local
  transport input ssh

When I try to

SSH

into the public IP address of this router from our jumphost ("permit ip host [our_remote_mgmt_jumphost] any" in WAN-to-inside) I just get connection refused. However, I can establish connections to ports 3389-3393. Also, the hitcount on the line in WAN-to-inside for the jumphost increments each time I try to open a

SSH

connection, so the access-list rules are obviously working as intended. I can also

SSH

from inside, so

SSH

configuration itself seems to be working.

Does anybody have any idea what could be going on?

MHM Cisco World · ‎07-14-2022

not the public ip the ip use you for

SSH

if you config

SSH

to use specific IP like Loopback of router then you need NAT.

View solution in original post

MHM Cisco World · ‎07-14-2022

you

config Static route public IP

BUT here the dialer interface get IP from DHCP and it may be not same IP you enter in static NAT.

balaji.bandi · ‎07-14-2022

check the IP you got from provider using DHCP and ACL matches ?

from ISP you always get same IP if the Router reboot ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ermitgilsukaru · ‎07-14-2022

Yes, the router always gets the same IP (we're lucky in my country to have an abundance of IPv4 addresses, so "dynamic" WAN addresses usually never change). I know that the public IP address has been consistent because employees at the customer company tell me they have been using the RDP NATs once in a while for a long while.

balaji.bandi · ‎07-14-2022

Then run the

debug, test incoming traffic

you see on router before it go end device ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ermitgilsukaru · ‎07-14-2022

Hmm.. I don't quite understand what you mean by end device here? I'm trying to

SSH

into the router itself

balaji.bandi · ‎07-14-2022

I mean to say the device having IP address that you try to

SSH

(in your case Router).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ermitgilsukaru · ‎07-14-2022

Ok, thank you for the clarification. Although it's a moot point now since the issue is fixed now by using a loopback interface.

MHM Cisco World · ‎07-14-2022

now if you sure the IP is same,
you need NAT for

SSH port

which is 22

MHM Cisco World · ‎07-14-2022

if you not use known L4 port then you need to add port you use to

SSH

command. and then test again

ermitgilsukaru · ‎07-14-2022

Wait, really? I would have thought traffic that's supposed to terminate on the outside interface of the router itself wouldn't be NATted?

How should I configure this NAT rule? Like this?

ip nat inside source static tcp [router_public_IP] 22 [router_public_IP] 22 extendable

MHM Cisco World · ‎07-14-2022

not the public ip the ip use you for

SSH

if you config

SSH

to use specific IP like Loopback of router then you need NAT.

ermitgilsukaru · ‎07-14-2022

So I can't

SSH

directly into the public IP when the router is on DHCP? (like I said, I haven't touched IOS in a few years so I'm getting pretty rusty)

MHM Cisco World · ‎07-14-2022

no you can use the public IP via DHCP as I know (and to be sure I will make small lab for you)
another issue
ACL with

established

keyword you add to TCP ACL line,
the issue that this work make the router refuse the TCP SYN packet.
I know you config it for security reason but can you remove it

SSH

to router if success then this is issue here if not then return it back and as I mention I will do lab and check DHCP and

SSH

""The

established

keyword is used to indicate an established connection for tcp. An established connection can be considered as the tcp traffic originating inside your network, not from an external network.

This means that the packets belong to an existing connection if the tcp segment has the Acknowledgment (ACK) or Reset (RST) bit set.""

ermitgilsukaru · ‎07-14-2022

I just created a loopback interface and NATted port 22 to that and it worked!