Help with setting up external access to console via SSH on 2811

Sbarajas · ‎06-12-2018

I need to help setting up external access via ssh to some 2811's we just recently took over. I can access the router via ssh locally fine.

Basically what i need to accomplish.

Ability to access console via SSH from 3 specific external ip address.

I tried the creating a Nat statement and access list entry's to allow this but its still not working. im probably doing something stupid.

ACCESSLIST

access-list 103 permit tcp host 192.168.67.1 host [redacted] eq 22
access-list 103 permit tcp host 192.168.67.1 host [redacted] eq 22
access-list 103 permit tcp host 192.168.67.1 host [redacted] eq 22

NAT

ip nat inside source static tcp 192.168.67.1 22 interface FastEthernet0/0 22

Georg Pauwen · ‎06-12-2018

Hello,

it looks like your access lists needs to be reversed. Where did you apply the access list ?

Try:

access-list 103 permit tcp host x.x.x.x host 192.168.67.1 eq 22

access-list 103 permit tcp host y.y.y.y host 192.168.67.1 eq 22

access-list 103 permit tcp host z.z.z.z host 192.168.67.1 eq 22

If that doesn't help, post the full config of your router...

Sbarajas · ‎06-12-2018

You may be right. Ill try this.

Georg Pauwen · ‎06-12-2018

Actually, remove the access list altogether from the interface, in order to find out if that is the problem...

Sbarajas · ‎06-12-2018

I removed the entry's with no luck. I have modified some of the ips for security but this should help.

Building configuration...

Current configuration : 3167 bytes
!
! Last configuration change at 19:57:22 UTC Tue Jun 12 2018 by admin
! NVRAM config last updated at 19:47:22 UTC Tue Jun 12 2018 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Marathon
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
!
no ip domain lookup
ip domain name CarolinaTrace
ip inspect name MARATHON cuseeme
ip inspect name MARATHON ftp
ip inspect name MARATHON h323
ip inspect name MARATHON netshow
ip inspect name MARATHON rcmd
ip inspect name MARATHON realaudio
ip inspect name MARATHON rtsp
ip inspect name MARATHON sqlnet
ip inspect name MARATHON streamworks
ip inspect name MARATHON tftp
ip inspect name MARATHON tcp
ip inspect name MARATHON udp
ip inspect name MARATHON vdolive
ip inspect name MARATHON icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
!
!
!
interface Tunnel0
 ip address 10.0.1.5 255.255.255.252
 ip mtu 1500
 tunnel source FastEthernet0/0
 tunnel destination 24.216.11.11
!
interface FastEthernet0/0
 ip address 24.216.22.16 255.255.255.252
 ip access-group 103 in
 ip nat outside
 ip inspect MARATHON out
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.67.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.216.22.15
ip route 192.168.4.0 255.255.255.0 10.0.1.6
ip route 192.168.5.0 255.255.255.0 10.0.1.6
ip route 192.168.65.0 255.255.255.0 10.0.1.6
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.67.5 5900 interface FastEthernet0/0 5910
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.67.1 22 interface FastEthernet0/0 22
!
access-list 101 permit ip 192.168.67.0 0.0.0.255 any
access-list 103 permit udp host 128.138.140.44 any eq ntp
access-list 103 permit tcp any any established
access-list 103 remark Clubhouse VPN
access-list 103 permit ahp host 24.216.11.11 host 24.216.22.16
access-list 103 permit esp host 24.216.11.11 host 24.216.22.16
access-list 103 permit udp host 24.216.11.11 host 24.216.22.16 eq isakmp
access-list 103 permit udp host 24.216.11.11 host 24.216.22.16 eq non500-isakmp
access-list 103 permit gre host 24.216.11.11 host 24.216.22.16
access-list 103 permit ip host 64.58.20.19 any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
!
route-map nonat permit 10
 match ip address 101
 set ip df 0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
scheduler allocate 20000 1000
ntp clock-period 17180175
ntp source FastEthernet0/0
ntp server 128.138.140.44
!
end

Georg Pauwen · ‎06-12-2018

Hello,

on your VTY lines configure:

line vty 0 4
login local

transport input telnet ssh

Sbarajas · ‎06-12-2018

Still unable to connect. However as i said before i can connect locally via ssh. any other ideas :)

Georg Pauwen · ‎06-12-2018

Hello,

try and change your static NAT entry to:

ip nat inside source static tcp 192.168.67.1 22 24.216.22.16 22 extendable

Also, post the output of 'show ip ssh'...

Sbarajas · ‎06-12-2018

SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

Georg Pauwen · ‎06-12-2018

Hello,

is that the entire output ? Do you have a crypto key configured ?

2811(config)#crypto key generate rsa modulus 2048

Sbarajas · ‎06-13-2018

That was the entire output, and i have run that command again to be sure but that was the first thing i had done.

mohammed01701 · ‎06-13-2018

Hi!

I don't see any username, have you configured "username xxxx privilege 15 secret yyyyyy"?

HTH

/Mohammed