03-13-2013 01:35 PM - edited 03-04-2019 07:16 PM
Hello all,
I have a Cisco 2801 with two DSL cards that are both routing to the internet, with NAT to the private LAN interface. I am using IP SLA and route maps to accomplish this load balancing. I have rsolved most of the issues that come with this setup, but I still have a major issue: I cannot SSH into both of the WAN addresses, only one. I have included whqat I think is the most relevant config info.
#sh run
! ........some info omitted........!
!
!
ip sla 1
icmp-echo W.A.N.x source-interface Dialer1
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo W.A.N.y source-interface Dialer2
timeout 1000
threshold 40
frequency 3
ip sla schedule 2 life forever start-time now
!
!
key chain OER
key 1
key-string oerkey
!
!
oer master
max-range-utilization percent 88
!
!
border 1.1.1.1 key-chain OER
interface ATM0/1/0 external
max-xmit-utilization absolute 8000
interface ATM0/3/0 external
max-xmit-utilization absolute 8000
interface FastEthernet0/0 internal
!
learn
throughput
periodic-interval 88
aggregation-type prefix-length 32
mode route control
mode select-exit best
resolve range priority 1
resolve utilization priority 2 variance 1
!
oer border
local Loopback0
master 1.1.1.1 key-chain OER
!
!
track timer interface 5
!
track 100 interface Dialer1 ip routing
delay down 15 up 10
!
track 200 interface Dialer2 ip routing
delay down 15 up 10
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
!
interface FastEthernet0/0
description $LAN-INTERFACE = GATEWAY $
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface ATM0/1/0
no ip address
ip virtual-reassembly
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/3/0
no ip address
ip virtual-reassembly
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer1
ip address negotiated
no ip proxy-arp
ip mtu 1478
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXXXXXX
ppp chap password 0 XXXXXXXX
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
!
interface Dialer2
ip address negotiated
no ip proxy-arp
ip mtu 1478
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXXXXXX
ppp chap password 0 XXXXXXXX
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 track 100
ip route 0.0.0.0 0.0.0.0 Dialer2 track 200
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 3600
ip nat inside source route-map dialer1 interface Dialer1 overload
ip nat inside source route-map dialer2 interface Dialer2 overload
ip nat inside source static tcp 192.168.0.254 222 W.A.N.x 222 extendable
ip nat inside source static tcp 192.168.0.254 222 W.A.N.y 222 extendable
!
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 123 permit tcp any any eq 22
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
route-map dialer2 permit 10
match ip address 100
match interface Dialer2
!
route-map dialer1 permit 10
match ip address 100
match interface Dialer1
!
!
line aux 0
line vty 0 4
access-class 123 in
privilege level 15
login local
transport input ssh
!
03-13-2013 02:15 PM
Hello.
I don't see in your config ip ssh enabled:
You need to specify:
Domain name = Ip domain name
Generate rsa key = Crypto key generate rsa
User name & password = username xxxxx password xxxxxx
Res
paul
Sent from Cisco Technical Support iPad App
03-13-2013 02:47 PM
If you look at the very last line of my post, you will see the line vty 0 4:
transport input ssh
Also remeber that I am able to SSH into one of the public addresses, as well as the private address.
03-13-2013 03:25 PM
Hello Chad.
That command doesn't mean that ip ssh is enabled.- it's stating that to connect to this router ip ssh is required.
So in summary if you want to connect a router via ssh then the config stated in my previous post is required on the router you want
to connect to.
Res
Paul
Sent from Cisco Technical Support iPad App
03-13-2013 03:41 PM
But I CAN connect via SSH. I have stated this twice already. Am I missing something here?
Just to be clear:
#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
03-13-2013 03:48 PM
Hello,
where are you trying to connect to? - from this or to this router.
The router you are trying connect too requires configuring for ssh!
Res
paul
Sent from Cisco Technical Support iPad App
03-13-2013 03:55 PM
OK, let me try to explain it a little better:
I have one router that I am trying to connect to. This router has multiple (two) DSL lines, each with a public IP address (each line has it's own public IP address). I CAN access the router via SSH on one of those lines........I CANNOT access the router via SSH on the other line.
03-13-2013 06:58 PM
Hi Chad,
Let me guess; you CAN ssh from the outside to the Dialer1 interface IP, when the default route points to it, correct? What happens when the default route is pointing to D2, can you then ssh to the D2 IP?
Nick Bonifacio
CCIE #38473
03-13-2013 11:19 PM
Add this also
ip route 0.0.0.0 0.0.0.0 Dialer1 track 100
ip route 0.0.0.0 0.0.0.0 Dialer2 track 200
How are u using two default route. If you are using Route-map then you dont need default route to route your traffic towards two differenet ISPs.
***Do Rate Helpful Posts***
03-14-2013 08:42 AM
,
I am getting routed out of both interfaces, and I can verify this with traceroute and ping.
#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/579/760 ms
#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 W.A.N.x msec * 80 msec
2 75.160.237.121 44 msec * *
#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 *
W.A.N.y 156 msec 124 msec
2 75.160.237.121 556 msec * *
#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 W.A.N.x 48 msec
W.A.N.y 508 msec
W.A.N.x 36 msec
2 75.160.237.121 52 msec *
216.160.199.169 428 msec
Now are the result when I run nmap against the two public addresses:
[chad@localhost ~]$ nmap X.X.X.X
Nmap scan report for X.X.X.X
Host is up (0.42s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
222/tcp filtered rsh-spx
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 37.03 seconds
[chad@localhost ~]$ nmap Y.Y.Y.Y
Nmap scan report for Y.Y.Y.Y
Host is up (0.46s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
222/tcp open rsh-spx
445/tcp filtered microsoft-ds
1556/tcp filtered veritas_pbx
50636/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 34.24 seconds
03-14-2013 07:57 AM
Well nickbonifacio, I have two defaults routes, each pointing to a different dialer.
ip route 0.0.0.0 0.0.0.0 Dialer1 track 100
ip route 0.0.0.0 0.0.0.0 Dialer2 track 200
I am using Service Level Agrrement to track the state the state of these interfaces whether they are up or down, and preventing routing through one that may be down.
03-14-2013 02:37 PM
Remove class Command from line vty 0 4
check if you are able to ssh without applying acl.
03-15-2013 08:07 AM
Jawad Mukhtar, this access list
access-list 123 permit tcp any any eq 22
just means that anybody is allowed to connect to the terminal, as long as it is with the SSH protocol.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide