Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1003
Views
0
Helpful
4
Replies

Cisco 881 SSH not working to router from outside but works from inside, any suggestions looking at my config?

David Kaffenberger
Level 1
Level 1

‎05-11-2015 06:25 AM - edited ‎03-05-2019 01:26 AM

I am scratching my head over this one, but hopefully someone will see something I am missing.

 

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 itsasecret
!
aaa new-model
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
!
!
ip domain name mydomain.com
ip cef
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
license udi pid C881-K9 sn myserial
!
!
username notcisco privilege 15 password 0 notmypassword
!
!
!
ip ssh version 2
!
no crypto engine onboard 0
!
!
!
!
!
!
crypto ipsec client ezvpn ezname
 connect auto
 group mygroup key itsprivate
 mode network-extension
 peer x.x.x.3
 xauth userid mode interactive
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address x.x.x.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto ipsec client ezvpn ezname
!
interface Vlan1
 ip address x.x.x.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no autostate
 crypto ipsec client ezvpn ezname inside
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map NATTRANSLATE interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.4
!
!
route-map NATTRANSLATE permit 10
 match ip address 125
!
snmp-server group solarw v3 priv
access-list 100 deny   ip x.x.x.2 0.0.0.255 172.16.125.0 0.0.0.255
access-list 100 deny   ip x.x.x.2 0.0.0.255 172.16.150.0 0.0.0.255
access-list 100 deny   ip x.x.x.2 0.0.0.255 172.16.175.0 0.0.0.255
access-list 100 deny   ip x.x.x.2 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 deny   ip x.x.x.2 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip x.x.x.2 0.0.255.255 any
access-list 125 deny   ip x.x.x.2 0.0.0.255 10.10.20.0 0.0.0.255
access-list 125 deny   ip x.x.x.2 0.0.0.255 10.10.1.0 0.0.0.255
access-list 125 deny   ip x.x.x.2 0.0.0.255 172.16.125.0 0.0.0.255
access-list 125 deny   ip x.x.x.2 0.0.0.255 172.16.150.0 0.0.0.255
access-list 125 deny   tcp any eq telnet any
access-list 125 deny   tcp any eq 22 any
access-list 125 deny   ip any 10.0.0.0 0.0.0.255
access-list 125 deny   ip any 192.168.0.0 0.0.255.255
access-list 125 deny   ip any 172.16.0.0 0.15.255.255
access-list 125 permit ip any any
access-list 150 permit ip x.x.x.2 0.0.0.255 10.10.0.0 0.0.255.255
access-list 150 permit ip x.x.x.2 0.0.0.255 172.16.125.0 0.0.0.255
access-list 150 permit ip x.x.x.2 0.0.0.255 172.16.150.0 0.0.0.255
access-list 150 permit ip x.x.x.2 0.0.0.255 172.16.175.0 0.0.0.255
access-list 150 permit ip x.x.x.2 0.0.0.255 172.16.200.0 0.0.0.255
access-list 199 permit esp host x.x.x.5 host x.x.x.6
access-list 199 permit udp host x.x.x.5 host x.x.x.6
access-list 199 permit icmp any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 password notforyou
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
end

 

Labels:
0 Helpful
4 Replies 4

get_rthym
Level 1
Level 1

‎05-11-2015 05:46 PM

Hello

 

Just gave a glance and though below might be the cause.

!

change to this and see it works "access-list 125 permit   tcp any eq 22 any"

-------

route-map NATTRANSLATE permit 10
 match ip address 125

access-list 125 deny   tcp any eq 22 any

-----

hth

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to get_rthym

‎05-12-2015 08:15 AM

I believe that sometimes there can be complications when NAT is done with extended access lists which do permit any any. I wonder what would happen if the original poster changes this line in the access list 

access-list 125 permit ip any any

and replaces the source "any" with the IP subnet(s) that should get translated?

 

HTH

 

Rick

 

HTH

Rick
0 Helpful

David Kaffenberger
Level 1
Level 1
In response to Richard Burts

‎05-12-2015 08:45 AM

Thanks Richard but no go. I am running similar configs on many routers. This is almost identical to another one of the same model I have in use on the same service provider, the devil, er, I mean Comcast.

The only difference I can see is that one is a single IP and the Comcast router is in virtual bridge mode and the other is 5 ips and that one is just natting things.

I may just have Comcast kill their virtual bridge and test it.

 

0 Helpful

David Kaffenberger
Level 1
Level 1
In response to get_rthym

‎05-12-2015 08:39 AM

In this case it did not help, thank you though.

 

0 Helpful
Customers Also Viewed These Support Documents