04-09-2019 01:49 AM
Hello Everyone,
I'm having problem to ssh WAN int of Cisco WAN Router 1841. This WAN router is already running as Edge WAN Router for Internet connectivity for LAN clients. I've configured SSH & generated rsa keys also. But it didn't work. LAN interface is working fine for both Telnet & ssh. but WAN isn't working. here's show run....
EdgeRouter#Show run Building configuration... Current configuration : 1287 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname EdgeRouter ! boot-start-marker boot-end-marker ! enable secret 5 $1$18P8$zophbkZPasse7890xZID50 ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ip dhcp excluded-address 192.168.2.1 192.168.2.10 ! ip dhcp pool Local network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 8.8.8.8 ! ! no ip domain lookup ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! no crypto isakmp ccm ! ! ! ! interface FastEthernet0/0 ip address 102.15.43.29 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 102.15.43.29 ! ! ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 10 permit 192.168.2.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! banner login ^Cine Your Activity is being Monitored ^C ! line con 0 password xxxxxxxx login line aux 0 line vty 0 4 username netadmin password xxxxxx login ! end
Solved! Go to Solution.
04-09-2019 03:04 AM - edited 04-09-2019 03:07 AM
ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 10 permit 192.168.2.0 0.0.0.255
Firstly The ACL not matching - need to be corrected.
i would not advise Telnet, SSH is good as security point of View - create an access-list 100 like below for SSH
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq ssh
access-list 100 deny ip any any
Apply to your Outside interface .
int gi 0/0
ip access-group 100 in
line vty 0 4
transport input ssh
Suggest to test before applying live system always.
04-09-2019 01:51 AM - edited 04-09-2019 01:52 AM
keep in mind This router i've deployed to my client site and i don't frequent access to it. Above show run is old, just missing part rsa generated keys for ssh
ip domain name xyz.com
access list 11 permit tcp any any eq 22
04-09-2019 04:42 AM
Hello Manai,
first of all, you are in a public forum so you should avoid to expose the public address of the WAN interface
Please edit the first post accordingly if you can.
I suppose internet access and NAT is working from what you have written
About remote access to WAN interface:
a) you have no aaa new-model in order to use a locally defined username/password for access you need
line vty 0 4
login local
b)
For protecting the WAN interface consider the suggested extended ACL 100 by the other colleague in the thread
The ACL 11 you are suggesting would block all user return traffic for the implicit deny any !!! So do not apply it.
Hope to help
Giuseppe
04-09-2019 11:15 AM
04-09-2019 03:04 AM - edited 04-09-2019 03:07 AM
ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 10 permit 192.168.2.0 0.0.0.255
Firstly The ACL not matching - need to be corrected.
i would not advise Telnet, SSH is good as security point of View - create an access-list 100 like below for SSH
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq ssh
access-list 100 deny ip any any
Apply to your Outside interface .
int gi 0/0
ip access-group 100 in
line vty 0 4
transport input ssh
Suggest to test before applying live system always.
04-09-2019 03:24 AM
Thank you, i'll try these out. Just simple question, How to test these commands?? Cause this router is running and all users are connected through it to internet.
04-09-2019 11:16 AM
04-09-2019 05:17 AM
Hello
Just like to add , make sure ssh is allowed on the vty lines and for additional security apply MPP for access.
conf t
ip ssh source-interface fa0/0
control-plane host
management-interface FastEthernet0/0 allow ssh
line vty x x
transport input ssh
show management-interface
04-09-2019 07:19 AM
Am I correct in understanding that SSH is working from inside addresses to the router? If so that demonstrates that the RSA key generation and other aspects of SSH was correct and that there is something about the outside interface that is preventing SSH access from outside. Frequently when SSH from outside is not working it is because the vty lines have been configured with access-class. But that is not the case here.
I believe that it is an issue with the configured default rouet
ip route 0.0.0.0 0.0.0.0 102.15.43.29
The problem is that the configured next hop is the router interface address and not the address of the ISP.
HTH
Rick
04-09-2019 11:17 AM
04-09-2019 02:21 PM
Hello
Im having problem to ssh WAN int of Cisco WAN Router 1841. This WAN router is already running as Edge WAN Router for Internet connectivity for LAN clients.
I've configured SSH & generated rsa keys also. But it didn't work.
LAN interface is working fine for both Telnet & ssh. but WAN isn't working. here's show run....
keep in mind. Above show run is old,
Thank you, Actually problem was with ACLs.
No sure i understand you say it was the acl that prevented wan ssh access, But that would have ONLY prevented your lan users from reaching the internet, not wan ssh access to the rtr?
04-09-2019 11:17 AM
08-08-2020 12:23 PM
Hello all,
I have almost the same but unsolved issue. Unfortunately this solution didn't help me. If you have a solution for my case I would be happy.
So what I have: I have a cisco 1841 with the configuration presented below. The Internet is available for all local network clients.
What doesn't work - I can't do so that there was SSH access to the router from outside (on the wan interface).
And most importantly, I can't configure SSL WEBVPN on the router. I did everything according to the instructions and manuals, but the connection via Cisco AnyConnect VPN client still does not work.
Really need your help!
UC-router(config)#do sh run Current configuration : 1714 bytes |
08-08-2020 03:11 PM
I do not understand the logic of your acl for nat
ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255
permit any
Why do you have permit any ? I have seen issues similar to yours when the nat acl had permit any. I suggest that you remove the permit any and let us know if the behavior changes.
I also do not understand why you have a nat that uses an acl and a nat that uses a route map. I suggest that you use one or the other but not both. And if you are going to keep the one that uses a route map then you need to address the fact that it references an acl that is not present in the config.
route-map NAT permit 10
match ip address 1
08-08-2020 04:14 PM
Hi Richard,
Thank you for your feedback. Let me explain the situation. I was not familiar with cisco routers and only dive into the topic of network settings and configuring cisco routers. And the more I look and study, the more clearly I understand that I have entered dark waters.
About a month ago I got a router cisco ISR 1841 and I decided to use it to build a small local network.
The tasks were:
1. Organize the ability to access the Internet from a local LAN network
2. Ability to remotely manage the cisco router over SSH
3. Configure SSL VPN connections to the router for clients via cisco anyconnect
When I first set up the router, I was guided by this manual [https://deltaconfig.ru/cisco-router-internet-access/]. This is why the config has an ACL rule. It allowed computers on the local LAN network to access the Internet. The first task was completed.
I couldn't manage with the second and third tasks, so I decided to make a simple port forwarding to the necessary computers via cisco. I discussed this point here, in the cisco forum, and we found a solution (https://community.cisco.com/t5/switching/cisco-1841-port-forwarding-issue-and-router-unavailability-via/m-p/4126322#M490339). That is why this entry (route-map NAT match ip address 1) appeared in the configuration.
But.... there was trouble. Since I did a port forwarding for RDP connection, it didn't take a day for hackers to install an encryption virus on my computer, which forced me to reinstall the operating system on my computer and go back to the idea of configuring SSL VPN.
Can you tell us how to solve these problems comprehensively and professionally?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide