Re: Cannot SSH into all public WAN facing interfaces.

chad patterson · ‎03-13-2013

Hello all,

I have a Cisco 2801 with two DSL cards that are both routing to the internet, with NAT to the private LAN interface. I am using IP SLA and route maps to accomplish this load balancing. I have rsolved most of the issues that come with this setup, but I still have a major issue: I cannot SSH into both of the WAN addresses, only one. I have included whqat I think is the most relevant config info.

#sh run

! ........some info omitted........!

!

ip sla 1

icmp-echo W.A.N.x source-interface Dialer1

timeout 1000

threshold 40

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo W.A.N.y source-interface Dialer2

timeout 1000

threshold 40

frequency 3

ip sla schedule 2 life forever start-time now

!

key chain OER

key 1

key-string oerkey

!

oer master

max-range-utilization percent 88

!

border 1.1.1.1 key-chain OER

interface ATM0/1/0 external

max-xmit-utilization absolute 8000

interface ATM0/3/0 external

max-xmit-utilization absolute 8000

interface FastEthernet0/0 internal

!

learn

throughput

periodic-interval 88

aggregation-type prefix-length 32

mode route control

mode select-exit best

resolve range priority 1

resolve utilization priority 2 variance 1

!

oer border

local Loopback0

master 1.1.1.1 key-chain OER

!

track timer interface 5

!

track 100 interface Dialer1 ip routing

delay down 15 up 10

!

track 200 interface Dialer2 ip routing

delay down 15 up 10

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

description $LAN-INTERFACE = GATEWAY $

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface ATM0/1/0

no ip address

ip virtual-reassembly

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface ATM0/3/0

no ip address

ip virtual-reassembly

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

interface Dialer1

ip address negotiated

no ip proxy-arp

ip mtu 1478

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname XXXXXXXX

ppp chap password 0 XXXXXXXX

ppp ipcp dns request

ppp ipcp route default

ppp ipcp address accept

!

interface Dialer2

ip address negotiated

no ip proxy-arp

ip mtu 1478

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 2

no cdp enable

ppp authentication chap pap callin

ppp chap hostname XXXXXXXX

ppp chap password 0 XXXXXXXX

ppp ipcp dns request

ppp ipcp route default

ppp ipcp address accept

!

no ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 track 100

ip route 0.0.0.0 0.0.0.0 Dialer2 track 200

!

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation tcp-timeout 3600

ip nat inside source route-map dialer1 interface Dialer1 overload

ip nat inside source route-map dialer2 interface Dialer2 overload

ip nat inside source static tcp 192.168.0.254 222 W.A.N.x 222 extendable

ip nat inside source static tcp 192.168.0.254 222 W.A.N.y 222 extendable

!

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 23 permit 192.168.0.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 123 permit tcp any any eq 22

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map dialer2 permit 10

match ip address 100

match interface Dialer2

!

route-map dialer1 permit 10

match ip address 100

match interface Dialer1

!

line aux 0

line vty 0 4

access-class 123 in

privilege level 15

login local

transport input ssh

!

paul driver · ‎03-13-2013

Hello.
I don't see in your config ip ssh enabled:

You need to specify:
Domain name = Ip domain name
Generate rsa key = Crypto key generate rsa
User name & password = username xxxxx password xxxxxx

Res
paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

chad patterson · ‎03-13-2013

If you look at the very last line of my post, you will see the line vty 0 4:

transport input ssh

Also remeber that I am able to SSH into one of the public addresses, as well as the private address.

paul driver · ‎03-13-2013

Hello Chad.
That command doesn't mean that ip ssh is enabled.- it's stating that to connect to this router ip ssh is required.

So in summary if you want to connect a router via ssh then the config stated in my previous post is required on the router you want
to connect to.

Res
Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

chad patterson · ‎03-13-2013

But I CAN connect via SSH. I have stated this twice already. Am I missing something here?

Just to be clear:

#sh ip ssh

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3

paul driver · ‎03-13-2013

Hello,
where are you trying to connect to? - from this or to this router.
The router you are trying connect too requires configuring for ssh!

Res
paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

chad patterson · ‎03-13-2013

OK, let me try to explain it a little better:

I have one router that I am trying to connect to. This router has multiple (two) DSL lines, each with a public IP address (each line has it's own public IP address). I CAN access the router via SSH on one of those lines........I CANNOT access the router via SSH on the other line.

nickbonifacio · ‎03-13-2013

Hi Chad,

Let me guess; you CAN ssh from the outside to the Dialer1 interface IP, when the default route points to it, correct? What happens when the default route is pointing to D2, can you then ssh to the D2 IP?

Nick Bonifacio
CCIE #38473

Nick Bonifacio CCIE #38473

jawad-mukhtar · ‎03-13-2013

Add this also

ip route 0.0.0.0 0.0.0.0 Dialer1 track 100

ip route 0.0.0.0 0.0.0.0 Dialer2 track 200

How are u using two default route. If you are using Route-map then you dont need default route to route your traffic towards two differenet ISPs.

***Do Rate Helpful Posts***

Jawad

chad patterson · ‎03-14-2013

Jawad Mukhtar

,

I am getting routed out of both interfaces, and I can verify this with traceroute and ping.

#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 96/579/760 ms

#traceroute 8.8.8.8

Type escape sequence to abort.

Tracing the route to 8.8.8.8

1 W.A.N.x msec * 80 msec

2 75.160.237.121 44 msec * *

#traceroute 8.8.8.8

Type escape sequence to abort.

Tracing the route to 8.8.8.8

1 *

W.A.N.y 156 msec 124 msec

2 75.160.237.121 556 msec * *

#traceroute 8.8.8.8

Type escape sequence to abort.

Tracing the route to 8.8.8.8

1 W.A.N.x 48 msec

W.A.N.y 508 msec

W.A.N.x 36 msec

2 75.160.237.121 52 msec *

216.160.199.169 428 msec

Now are the result when I run nmap against the two public addresses:

[chad@localhost ~]$ nmap X.X.X.X

Nmap scan report for X.X.X.X

Host is up (0.42s latency).

Not shown: 995 closed ports

PORT STATE SERVICE

22/tcp open ssh

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

222/tcp filtered rsh-spx

445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 37.03 seconds

[chad@localhost ~]$ nmap Y.Y.Y.Y

Nmap scan report for Y.Y.Y.Y

Host is up (0.46s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

222/tcp open rsh-spx

445/tcp filtered microsoft-ds

1556/tcp filtered veritas_pbx

50636/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 34.24 seconds

chad patterson · ‎03-14-2013

Well nickbonifacio, I have two defaults routes, each pointing to a different dialer.

ip route 0.0.0.0 0.0.0.0 Dialer1 track 100

ip route 0.0.0.0 0.0.0.0 Dialer2 track 200

I am using Service Level Agrrement to track the state the state of these interfaces whether they are up or down, and preventing routing through one that may be down.

jawad-mukhtar · ‎03-14-2013

Remove class Command from line vty 0 4

check if you are able to ssh without applying acl.

Jawad

chad patterson · ‎03-15-2013

Jawad Mukhtar, this access list

access-list 123 permit tcp any any eq 22

just means that anybody is allowed to connect to the terminal, as long as it is with the SSH protocol.