Solved: Re: Cisco 1841 Can't ssh telnet on WAN Interface over internet

maani · ‎04-09-2019

Hello Everyone,

I'm having problem to ssh WAN int of Cisco WAN Router 1841. This WAN router is already running as Edge WAN Router for Internet connectivity for LAN clients. I've configured SSH & generated rsa keys also. But it didn't work. LAN interface is working fine for both Telnet & ssh. but WAN isn't working. here's show run....

EdgeRouter#Show run
Building configuration...

Current configuration : 1287 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EdgeRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$18P8$zophbkZPasse7890xZID50
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!         
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool Local
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 8.8.8.8 
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!         
!         
!
!
! 
no crypto isakmp ccm
!
!
!
!
interface FastEthernet0/0
 ip address 102.15.43.29 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 102.15.43.29
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
banner login ^Cine 
Your Activity is being Monitored ^C
!         
line con 0
 password xxxxxxxx
 login
line aux 0
line vty 0 4
username netadmin
 password xxxxxx
 login
!
end

balaji.bandi · ‎04-09-2019

ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.2.0 0.0.0.255

Firstly The ACL not matching - need to be corrected.

i would not advise Telnet, SSH is good as security point of View - create an access-list 100 like below for SSH
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq ssh
access-list 100 deny ip any any

Apply to your Outside interface .
int gi 0/0
ip access-group 100 in

line vty 0 4

transport input ssh

Suggest to test before applying live system always.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

maani · ‎04-09-2019

keep in mind This router i've deployed to my client site and i don't frequent access to it. Above show run is old, just missing part rsa generated keys for ssh
ip domain name xyz.com
access list 11 permit tcp any any eq 22

Giuseppe Larosa · ‎04-09-2019

Hello Manai,

first of all, you are in a public forum so you should avoid to expose the public address of the WAN interface

Please edit the first post accordingly if you can.

I suppose internet access and NAT is working from what you have written

About remote access to WAN interface:

a) you have no aaa new-model in order to use a locally defined username/password for access you need

line vty 0 4

login local

b)

For protecting the WAN interface consider the suggested extended ACL 100 by the other colleague in the thread

The ACL 11 you are suggesting would block all user return traffic for the implicit deny any !!! So do not apply it.

Hope to help

Giuseppe

maani · ‎04-09-2019

Thanks for your reply, you're right. ACL 100 is the correct one and i've tested it in Packet everything seems good so far.

balaji.bandi · ‎04-09-2019

ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.2.0 0.0.0.255

Firstly The ACL not matching - need to be corrected.

i would not advise Telnet, SSH is good as security point of View - create an access-list 100 like below for SSH
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq ssh
access-list 100 deny ip any any

Apply to your Outside interface .
int gi 0/0
ip access-group 100 in

line vty 0 4

transport input ssh

Suggest to test before applying live system always.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

maani · ‎04-09-2019

Thank you, i'll try these out. Just simple question, How to test these commands?? Cause this router is running and all users are connected through it to internet.

maani · ‎04-09-2019

Thanks, you've been great. help. I've tested it and its working really fine in Packet

paul driver · ‎04-09-2019

Hello

Just like to add , make sure ssh is allowed on the vty lines and for additional security apply MPP for access.

conf t

ip ssh source-interface fa0/0

control-plane host
management-interface FastEthernet0/0 allow ssh

line vty x x
transport input ssh

show management-interface

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎04-09-2019

Am I correct in understanding that SSH is working from inside addresses to the router? If so that demonstrates that the RSA key generation and other aspects of SSH was correct and that there is something about the outside interface that is preventing SSH access from outside. Frequently when SSH from outside is not working it is because the vty lines have been configured with access-class. But that is not the case here.

I believe that it is an issue with the configured default rouet

ip route 0.0.0.0 0.0.0.0 102.15.43.29

The problem is that the configured next hop is the router interface address and not the address of the ISP.

HTH

Rick

HTH

Rick

maani · ‎04-09-2019

Thank you, Actually problem was with ACLs.

paul driver · ‎04-09-2019

Hello

Im having problem to ssh WAN int of Cisco WAN Router 1841. This WAN router is already running as Edge WAN Router for Internet connectivity for LAN clients.

I've configured SSH & generated rsa keys also. But it didn't work.

LAN interface is working fine for both Telnet & ssh. but WAN isn't working. here's show run....

keep in mind. Above show run is old,

Thank you, Actually problem was with ACLs.

No sure i understand you say it was the acl that prevented wan ssh access, But that would have ONLY prevented your lan users from reaching the internet, not wan ssh access to the rtr?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

maani · ‎04-09-2019

The above commands are not found in router ios.

DmityMarkelov · ‎08-08-2020

Hello all,

I have almost the same but unsolved issue. Unfortunately this solution didn't help me. If you have a solution for my case I would be happy.

So what I have: I have a cisco 1841 with the configuration presented below. The Internet is available for all local network clients.

What doesn't work - I can't do so that there was SSH access to the router from outside (on the wan interface).
And most importantly, I can't configure SSL WEBVPN on the router. I did everything according to the instructions and manuals, but the connection via Cisco AnyConnect VPN client still does not work.

Really need your help!

UC-router(config)#do sh run
Building configuration...

Current configuration : 1714 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname UC-xxx
!
boot-start-marker
boot system flash:/c1841-advipservicesk9-mz.124-9.T1.bin
boot-end-marker
!
enable secret 5 $1$c3Ts$RdCpFynnaSoENXaSpzwry1
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
no ip cef
!
!
!
!
ip domain name xxx.local
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
!
!
!
username UC-user privilege 15 secret 5 $1$Gshr$PqMrgioix1SJ9IRxy9lFs0
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
ip address 176.xxx.xxx.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 176.xxx.xxx.1
!
!
ip http server
ip http secure-server
ip nat pool INTERNET 176.xxx.xxx.xxx 176.xxx.xxx.xxx prefix-length 24
ip nat inside source list ACL_NAT interface FastEthernet0/0 overload
ip nat inside source route-map NAT pool INTERNET reversible
!
ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255
permit any
!
!
!
!
route-map NAT permit 10
match ip address 1
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
transport input all
!
scheduler allocate 20000 1000
!
webvpn install svc flash:/webvpn/svc.pkg
end

Richard Burts · ‎08-08-2020

I do not understand the logic of your acl for nat

ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255
permit any

Why do you have permit any ? I have seen issues similar to yours when the nat acl had permit any. I suggest that you remove the permit any and let us know if the behavior changes.

I also do not understand why you have a nat that uses an acl and a nat that uses a route map. I suggest that you use one or the other but not both. And if you are going to keep the one that uses a route map then you need to address the fact that it references an acl that is not present in the config.

route-map NAT permit 10
match ip address 1

HTH

Rick

DmityMarkelov · ‎08-08-2020

Hi Richard,
Thank you for your feedback. Let me explain the situation. I was not familiar with cisco routers and only dive into the topic of network settings and configuring cisco routers. And the more I look and study, the more clearly I understand that I have entered dark waters.

About a month ago I got a router cisco ISR 1841 and I decided to use it to build a small local network.
The tasks were:
1. Organize the ability to access the Internet from a local LAN network
2. Ability to remotely manage the cisco router over SSH
3. Configure SSL VPN connections to the router for clients via cisco anyconnect

When I first set up the router, I was guided by this manual [https://deltaconfig.ru/cisco-router-internet-access/]. This is why the config has an ACL rule. It allowed computers on the local LAN network to access the Internet. The first task was completed.

I couldn't manage with the second and third tasks, so I decided to make a simple port forwarding to the necessary computers via cisco. I discussed this point here, in the cisco forum, and we found a solution (https://community.cisco.com/t5/switching/cisco-1841-port-forwarding-issue-and-router-unavailability-via/m-p/4126322#M490339). That is why this entry (route-map NAT match ip address 1) appeared in the configuration.

But.... there was trouble. Since I did a port forwarding for RDP connection, it didn't take a day for hackers to install an encryption virus on my computer, which forced me to reinstall the operating system on my computer and go back to the idea of configuring SSL VPN.

Can you tell us how to solve these problems comprehensively and professionally?