Solved: Cant Telnet or SSH onto Router over internet

grahamhyland · ‎04-06-2012

HI Please Help

I'm having difficulty logging onto my 1801 router over the internet

I can ping the device and tracert to it but I can't telnet or SSH

Here is the config - Can you see whay this would happen. Its on ADSL link.

Kind Regards

Graham

Building configuration...

Current configuration : 6335 bytes
!
! Last configuration change at 16:31:49 IST Wed Apr 4 2012
! NVRAM config last updated at 16:31:51 IST Wed Apr 4 2012
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot system flash:c880data-universalk9-mz.124-22.YB2.bin
boot-end-marker
!
logging buffered 30000 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
no aaa new-model
!
resource policy
!
clock timezone GMT 0
clock summer-time IST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.22.106.1 172.22.106.20
ip dhcp excluded-address 172.22.106.31 172.22.106.255
!
ip dhcp pool INTERNAL_MACHINES
   network 172.22.106.0 255.255.255.0
   default-router 172.22.106.1
   dns-server 213.94.190.194 213.94.190.236
!
!
ip tcp path-mtu-discovery
ip domain name ballinteer.mopi.ie
ip name-server 213.94.190.194
ip name-server 213.94.190.236
ip ssh version 2
!
!
!
username sq_guest privilege 15 password 7 xxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
description ### EM&T DATA LOGGER ###
switchport access vlan 7
duplex half
speed 10
!

!
interface ATM0
description *** ATM Config PVC 8/35 ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Vlan1
no ip address
no ip redirects
shutdown
!
interface Vlan7
ip address 172.22.106.1 255.255.255.0
ip helper-address 172.22.106.1
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
interface Dialer1
description $$WAN_INT$$
ip address xxxxxxxxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication chap callin
ppp chap hostname o2@o2.ie
ppp chap password 7 03064904070B234D400D48
!
ip forward-protocol spanning-tree
ip route profile
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list INTERNET_ACCESS interface Dialer1 overload

!

!
!

ip access-list extended INTERNET_ACCESS

permit ip host 172.22.106.26 any log

permit ip 172.22.106.0 0.0.0.255 any

permit ip xxxxxxxx 0.0.0.7 any

deny ip any any log

ip access-list extended SSH_ACCESS

permit tcp host xxxxxxxxxxxx any eq 22 log

permit tcp host 172.22.106.10 any eq 22 log

deny ip any any log
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
exec-timeout 120 0
line vty 0 4
exec-timeout 15 0
login local
transport input all
!
scheduler max-task-time 5000
ntp clock-period 17180238
ntp server 149.157.192.251 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

ROUTER(config)#

paolo bevilacqua · ‎04-14-2012

Configure

no ip access-list extended INTERNET_ACCESS

ip access-list extended INTERNET_ACCESS

permit ip 172.22.106.0 0.0.0.255 any

and let us know

View solution in original post

Richard Burts · ‎04-06-2012

Graham

Can you tell us a bit more about this problem. You say that you can not telnet or SSH over the internet. Do telnet and SSH work ok from the inside network?

When you attempt to telnet or SSH from the internet do you get a prompt or is the connection just refused?

I see an access list named SSH_ACCESS but do not see where it is used. It is quite restrictive in what it allows and would explain your symptoms if it had been applied.

I wonder if the behavior would be the same if you re-wrote the access list for address translation and made it a standard access list instead of an extended access list. It might look something like this:

ip access-list standard INTERNET_ACCESS

permit ip host 172.22.106.26 log

permit ip 172.22.106.0 0.0.0.255

permit ip xxxxxxxx 0.0.0.7

deny ip any log

and as a test I would also like to see what happens if you remove the log parameter from the statements in this access list.

HTH

Rick

HTH

Rick

grahamhyland · ‎04-11-2012

Hi

The SSH_ACCESS was droped for testing. I hope to apply it when we get the access resolved.

I do not get a prompt - The connection just gets refused.

Graham

Jeff Van Houten · ‎04-06-2012

Since its adsl I would call your provider and make sure inbound access to those services are allowed.

Sent from Cisco Technical Support iPad App

grahamhyland · ‎04-11-2012

Hi ,

I have also called the provider, They are sending me out a basic dsl modem which I will connect and then they will do the port scan.

paolo bevilacqua · ‎04-14-2012

Configure

no ip access-list extended INTERNET_ACCESS

ip access-list extended INTERNET_ACCESS

permit ip 172.22.106.0 0.0.0.255 any

and let us know

grahamhyland · ‎04-16-2012

Hi ,

Thank you this resolved the issue -

Please can you explain why?

Graham

paolo bevilacqua · ‎04-16-2012

Because the acl must permit internal addresses only, otherwise nat chaos is generated.

Thanks for the nice rating and good luck !