Solved: Re: Cisco 1841 Can't ssh telnet on WAN Interface over internet - Page 2

maani · ‎04-09-2019

Hello Everyone,

I'm having problem to ssh WAN int of Cisco WAN Router 1841. This WAN router is already running as Edge WAN Router for Internet connectivity for LAN clients. I've configured SSH & generated rsa keys also. But it didn't work. LAN interface is working fine for both Telnet & ssh. but WAN isn't working. here's show run....

EdgeRouter#Show run
Building configuration...

Current configuration : 1287 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EdgeRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$18P8$zophbkZPasse7890xZID50
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!         
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool Local
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 8.8.8.8 
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!         
!         
!
!
! 
no crypto isakmp ccm
!
!
!
!
interface FastEthernet0/0
 ip address 102.15.43.29 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 102.15.43.29
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
banner login ^Cine 
Your Activity is being Monitored ^C
!         
line con 0
 password xxxxxxxx
 login
line aux 0
line vty 0 4
username netadmin
 password xxxxxx
 login
!
end

Richard Burts · ‎08-09-2020

Thank you for the additional information. I sympathize with the issues that you have been having, especially the challenge in doing port forwarding for RDP. That is the major risk when you make an internal device reachable from the Internet. You do have access to Internet from devices on your lan and that is a significant achievement.

I suggest that we start with focus on the issue about SSH from outside. Am I correct in understanding that SSH from inside does work? It is not clear from your post and I would like to be sure that it is not some issue with enabling SSH. The output of show ip ssh might shed some light on this.

Can you tell me what happens when you attempt SSH from outside? Do you get any response? Or does it just hang? If you attempt SSH from outside and then look at the syslog messages (show log) are there any messages about SSH?

It might be helpful if you turn on debug for ssh, attempt ssh from outside, and then look for debug output.

I wonder if the issue with SSH might relate to issues with nat. You have 2 different nat methods configured and there are issues with each of them. I suggest that you remove one of them. I do not see anything that needs the route map approach, and since it is a bit more complicated I suggest that you remove the nat using the route map. And if you remove the route map approach you can also remove the nat pool that you configured in conjunction with the route map.

I suggest a change in the acl that you are using for nat. Remove the existing acl and configure it like this

ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255

You do not need the permit any and I have seen situations where having it caused issues. After you make this change test to verify that devices on your lan do still have access to Internet. And whether this change has any impact on SSH from outside.

As far as issues with AnyConnect are concerned I see only a single statement in the config that relates to AnyConnect (installing the pkg file. There are other config statements that are needed. But I suggest that we resolve the SSH issue before we dig into the AnyConnect issue.

HTH

Rick

DmityMarkelov · ‎08-10-2020

Hi Richard,
Sorry for the delay with the answer. Despite working from home and seemingly less work because of the pandemic, I had a hot working week. =)

I followed Your advice and deleted this "permit any" line from the standard acl_nat list. And..... SSH started working!!!!!
I first thought to call it a miracle, but then I looked at Your rank in the chat (Hall of Fame Guru) and realized that this is not a miracle, but your accurate and professional advice.

As for AnyConnect, I'm still grappling with this issue. Cisco ISR 1841 was not a fluffy beast. It all started with the fact that on the Cisco iOS 12.4 version, this device does not make self-signed certificates dated after January 01, 2020. After a little googling, I found a way to raise the built-in certificate server and deployed IOS-CA, then successfully signed trustpoint with certificate valid until 2023.

But apparently somewhere made a mistake and could not advance further. I believe you will find it in the configuration below.

UC-router#sh run
Building configuration...

Current configuration : 3919 bytes
!
! Last configuration change at 02:10:52 UTC Mon Aug 10 2020 by UC-user
! NVRAM config last updated at 02:11:35 UTC Mon Aug 10 2020 by UC-user
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname UC-router
!
boot-start-marker
boot system flash:/c1841-advipservicesk9-mz.124-9.T1.bin
boot-end-marker
!
enable secret 5 $1$c3Ts$RdCpFynnaSoENXaSpzwry1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSLVPN_AAA local
!
aaa session-id common
!
resource policy
!
no ip cef
!
!
!
!
ip domain name ххх.local
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
!
!
crypto pki server IOS-CA
database level complete
grant auto
!
crypto pki trustpoint ssl_trustpoint
serial-number
ip-address 176.xxx.xxx.xxx
subject-name CN=xxx_certificate
revocation-check none
rsakeypair ssl_keypair
!
!
crypto pki certificate chain ssl_trustpoint
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30383039 31333037
30345A17 0D323330 38303931 33303730 345A3011 310F300D 06035504 03130649
4F532D43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E653 93908196 6BD8061B 5019936C 4B088637 A5CBA110 0A9E33B9 3FD81F78
11DCCA7B E9398BEA 87113CF7 45FD076A DA4E9A3A BD307331 807F708B 56C3B4B1
23EE132B 68283C7D 877975E3 9D68980D 0B1E6E9E E6C18AC3 7ED7D1E4 397BBC99
0571843B C1CEB032 ED17C3F0 CCDDABC5 F54ABF54 E78AFF6D 83389FD4 C49B3DCC
6E910203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14542AFD E83DCF4E
D263BF53 6813AC88 8AAB9514 1E301D06 03551D0E 04160414 542AFDE8 3DCF4ED2
63BF5368 13AC888A AB95141E 300D0609 2A864886 F70D0101 04050003 818100D0
2FCFC2D6 1A6B4C88 6F93AC18 6BB0369A C490804C BEED5FDF 9BE10922 51771BE4
29590E3B D2D3FDAF 7DFD05C0 A07053D6 67C2512B 042CC7C6 31E7DA33 39B56D15
8BCF7078 5241BCAC 488B83E5 65110123 0BE80EBE 837B38B8 8512C6D5 81C543E4
8959068D 5D036C00 AF885F8F 7DEE21F6 A97E0943 1FD7795F ED8AFA63 9655FA
quit
username xxx privilege 15 secret 5 $1$Gshr$PqMrgioix1SJ9IRxy9lFs0
username xxx password 7 0518131F31435C1D
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
ip address 176.xxx.xxx.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SSLVPN_POOL 10.1.2.50 10.1.2.99
ip route 0.0.0.0 0.0.0.0 176.xxx.xxx.xxx
!
!
ip http server
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source list ACL_NAT interface FastEthernet0/0 overload
!
ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255
!
access-list 101 permit tcp any host 176.xxx.xxx.xxx eq 443
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway ssl_gateway
ip address 176.xxx.xxx.xxx port 443
ssl encryption rc4-md5
ssl trustpoint ssl_trustpoint
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context ssl_context
ssl authenticate verify all
!
!
policy group ssl_policy
functions svc-enabled
svc address-pool "SSLVPN_POOL"
svc keep-client-installed
svc rekey method new-tunnel
svc split include 10.1.2.0 255.255.255.0
default-group-policy ssl_policy
aaa authentication list SSLVPN_AAA
gateway ssl_gateway
inservice
!
end

Richard Burts · ‎08-11-2020

Thanks for the additional information. Glad to know that removing the permit any did resolve the issue with SSH. Thank you for the kind words about my participation in the community. I have been doing this for a long time and am glad to share what I have learned.

I am a bit surprised to see 2 nat statements in the config

ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source list ACL_NAT interface FastEthernet0/0 overload

The one with ACL_NAT looks like traditional nat while the one with 101 looks perhaps a bit more like static nat. But if it is working as expected with both statements then I guess that it is fine.

The configuration for AnyConnect in this version of config looks much better than the original version. I do notice that the addresses that you use for the client address pool fall into the same subnet as your lan subnet, and therefore are in the same range as the acl used for address translation. I would suggest that either you use a different set of addresses for the client address pool, or that you change the address translation acl so that it exempts the vpn pool addresses.

HTH

Rick

DmityMarkelov · ‎08-11-2020

Hi Richard,
thank you for your support. Unfortunately, I couldn't manage with it again. Then I tried to configure the router today as described in the article https://www.networkstraining.com/configuring-anyconnect-webvpn-on-cisco-router/
The result is also unchanged. There are many tips on how to configure webvpn ssl on the Internet, but the 20 I have already tried did not bring the desired result
I attach a config of what happened last time.

I rely on your help.

UC-router#sh run
Building configuration...

Current configuration : 3926 bytes
!
! Last configuration change at 00:59:02 UTC Wed Aug 12 2020 by UC-user
! NVRAM config last updated at 02:11:35 UTC Mon Aug 10 2020 by UC-user
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname UC-router
!
boot-start-marker
boot system flash:/c1841-advipservicesk9-mz.124-9.T1.bin
boot-end-marker
!
enable secret 5 $1$c3Ts$RdCpFynnaSoENXaSpzwry1
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
no ip cef
!
!
!
!
ip domain name unitechannel.local
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
!
!
crypto pki server IOS-CA
database level complete
grant auto
!
crypto pki trustpoint ssl_trustpoint
serial-number
ip-address 176.xxx.xxx.xxx
subject-name CN=unitechannel_certificate
revocation-check none
rsakeypair ssl_keypair
!
!
crypto pki certificate chain ssl_trustpoint
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30383039 31333037
30345A17 0D323330 38303931 33303730 345A3011 310F300D 06035504 03130649
4F532D43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E653 93908196 6BD8061B 5019936C 4B088637 A5CBA110 0A9E33B9 3FD81F78
11DCCA7B E9398BEA 87113CF7 45FD076A DA4E9A3A BD307331 807F708B 56C3B4B1
23EE132B 68283C7D 877975E3 9D68980D 0B1E6E9E E6C18AC3 7ED7D1E4 397BBC99
0571843B C1CEB032 ED17C3F0 CCDDABC5 F54ABF54 E78AFF6D 83389FD4 C49B3DCC
6E910203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14542AFD E83DCF4E
D263BF53 6813AC88 8AAB9514 1E301D06 03551D0E 04160414 542AFDE8 3DCF4ED2
63BF5368 13AC888A AB95141E 300D0609 2A864886 F70D0101 04050003 818100D0
2FCFC2D6 1A6B4C88 6F93AC18 6BB0369A C490804C BEED5FDF 9BE10922 51771BE4
29590E3B D2D3FDAF 7DFD05C0 A07053D6 67C2512B 042CC7C6 31E7DA33 39B56D15
8BCF7078 5241BCAC 488B83E5 65110123 0BE80EBE 837B38B8 8512C6D5 81C543E4
8959068D 5D036C00 AF885F8F 7DEE21F6 A97E0943 1FD7795F ED8AFA63 9655FA
quit
username UC-user privilege 15 secret 5 $1$Gshr$PqMrgioix1SJ9IRxy9lFs0
archive
log config
hidekeys
!
!
!
!
!
!
interface Loopback2
ip address 10.1.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 176.xxx.xxx.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool ssl_pool 10.1.3.10 10.1.3.30
ip route 0.0.0.0 0.0.0.0 176.xxx.xxx.1
!
!
ip http server
ip http secure-server
ip nat inside source list ACL_NAT interface FastEthernet0/0 overload
!
ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255
!
ip access-list extended ssl_acl
permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.6 eq 3389
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway ssl_gateway
ip address 176.xxx.xxx.xxx port 443
http-redirect port 80
ssl trustpoint ssl_trustpoint
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context ssl_context
ssl authenticate verify all
!
!
policy group ssl_policy
functions svc-enabled
filter tunnel "ssl_acl"
svc default-domain "https://www.xxx.media"
svc keep-client-installed
svc homepage "https://www.xxx.media"
svc rekey method new-tunnel
svc split include 10.1.2.0 255.255.255.0
default-group-policy ssl_policy
aaa authentication list default
gateway ssl_gateway
inservice
!
end