04-09-2019 01:49 AM
Hello Everyone,
I'm having problem to ssh WAN int of Cisco WAN Router 1841. This WAN router is already running as Edge WAN Router for Internet connectivity for LAN clients. I've configured SSH & generated rsa keys also. But it didn't work. LAN interface is working fine for both Telnet & ssh. but WAN isn't working. here's show run....
EdgeRouter#Show run Building configuration... Current configuration : 1287 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname EdgeRouter ! boot-start-marker boot-end-marker ! enable secret 5 $1$18P8$zophbkZPasse7890xZID50 ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ip dhcp excluded-address 192.168.2.1 192.168.2.10 ! ip dhcp pool Local network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 8.8.8.8 ! ! no ip domain lookup ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! no crypto isakmp ccm ! ! ! ! interface FastEthernet0/0 ip address 102.15.43.29 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 102.15.43.29 ! ! ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 10 permit 192.168.2.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! banner login ^Cine Your Activity is being Monitored ^C ! line con 0 password xxxxxxxx login line aux 0 line vty 0 4 username netadmin password xxxxxx login ! end
Solved! Go to Solution.
08-09-2020 08:47 AM
Thank you for the additional information. I sympathize with the issues that you have been having, especially the challenge in doing port forwarding for RDP. That is the major risk when you make an internal device reachable from the Internet. You do have access to Internet from devices on your lan and that is a significant achievement.
I suggest that we start with focus on the issue about SSH from outside. Am I correct in understanding that SSH from inside does work? It is not clear from your post and I would like to be sure that it is not some issue with enabling SSH. The output of show ip ssh might shed some light on this.
Can you tell me what happens when you attempt SSH from outside? Do you get any response? Or does it just hang? If you attempt SSH from outside and then look at the syslog messages (show log) are there any messages about SSH?
It might be helpful if you turn on debug for ssh, attempt ssh from outside, and then look for debug output.
I wonder if the issue with SSH might relate to issues with nat. You have 2 different nat methods configured and there are issues with each of them. I suggest that you remove one of them. I do not see anything that needs the route map approach, and since it is a bit more complicated I suggest that you remove the nat using the route map. And if you remove the route map approach you can also remove the nat pool that you configured in conjunction with the route map.
I suggest a change in the acl that you are using for nat. Remove the existing acl and configure it like this
ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255
You do not need the permit any and I have seen situations where having it caused issues. After you make this change test to verify that devices on your lan do still have access to Internet. And whether this change has any impact on SSH from outside.
As far as issues with AnyConnect are concerned I see only a single statement in the config that relates to AnyConnect (installing the pkg file. There are other config statements that are needed. But I suggest that we resolve the SSH issue before we dig into the AnyConnect issue.
08-10-2020 09:36 AM
Hi Richard,
Sorry for the delay with the answer. Despite working from home and seemingly less work because of the pandemic, I had a hot working week. =)
I followed Your advice and deleted this "permit any" line from the standard acl_nat list. And..... SSH started working!!!!!
I first thought to call it a miracle, but then I looked at Your rank in the chat (Hall of Fame Guru) and realized that this is not a miracle, but your accurate and professional advice.
As for AnyConnect, I'm still grappling with this issue. Cisco ISR 1841 was not a fluffy beast. It all started with the fact that on the Cisco iOS 12.4 version, this device does not make self-signed certificates dated after January 01, 2020. After a little googling, I found a way to raise the built-in certificate server and deployed IOS-CA, then successfully signed trustpoint with certificate valid until 2023.
But apparently somewhere made a mistake and could not advance further. I believe you will find it in the configuration below.
UC-router#sh run Current configuration : 3919 bytes |
08-11-2020 11:33 AM
Thanks for the additional information. Glad to know that removing the permit any did resolve the issue with SSH. Thank you for the kind words about my participation in the community. I have been doing this for a long time and am glad to share what I have learned.
I am a bit surprised to see 2 nat statements in the config
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source list ACL_NAT interface FastEthernet0/0 overload
The one with ACL_NAT looks like traditional nat while the one with 101 looks perhaps a bit more like static nat. But if it is working as expected with both statements then I guess that it is fine.
The configuration for AnyConnect in this version of config looks much better than the original version. I do notice that the addresses that you use for the client address pool fall into the same subnet as your lan subnet, and therefore are in the same range as the acl used for address translation. I would suggest that either you use a different set of addresses for the client address pool, or that you change the address translation acl so that it exempts the vpn pool addresses.
08-11-2020 03:20 PM
Hi Richard,
thank you for your support. Unfortunately, I couldn't manage with it again. Then I tried to configure the router today as described in the article https://www.networkstraining.com/configuring-anyconnect-webvpn-on-cisco-router/
The result is also unchanged. There are many tips on how to configure webvpn ssl on the Internet, but the 20 I have already tried did not bring the desired result
I attach a config of what happened last time.
I rely on your help.
UC-router#sh run Current configuration : 3926 bytes |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide