06-12-2018 11:37 AM - edited 03-05-2019 10:34 AM
I need to help setting up external access via ssh to some 2811's we just recently took over. I can access the router via ssh locally fine.
Basically what i need to accomplish.
Ability to access console via SSH from 3 specific external ip address.
I tried the creating a Nat statement and access list entry's to allow this but its still not working. im probably doing something stupid.
ACCESSLIST
access-list 103 permit tcp host 192.168.67.1 host [redacted] eq 22
access-list 103 permit tcp host 192.168.67.1 host [redacted] eq 22
access-list 103 permit tcp host 192.168.67.1 host [redacted] eq 22
NAT
ip nat inside source static tcp 192.168.67.1 22 interface FastEthernet0/0 22
06-12-2018 12:02 PM
Hello,
it looks like your access lists needs to be reversed. Where did you apply the access list ?
Try:
access-list 103 permit tcp host x.x.x.x host 192.168.67.1 eq 22
access-list 103 permit tcp host y.y.y.y host 192.168.67.1 eq 22
access-list 103 permit tcp host z.z.z.z host 192.168.67.1 eq 22
If that doesn't help, post the full config of your router...
06-12-2018 12:07 PM
You may be right. Ill try this.
06-12-2018 12:30 PM
Actually, remove the access list altogether from the interface, in order to find out if that is the problem...
06-12-2018 01:30 PM
I removed the entry's with no luck. I have modified some of the ips for security but this should help.
Building configuration... Current configuration : 3167 bytes ! ! Last configuration change at 19:57:22 UTC Tue Jun 12 2018 by admin ! NVRAM config last updated at 19:47:22 UTC Tue Jun 12 2018 by admin ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Marathon ! boot-start-marker boot-end-marker ! no logging on ! no aaa new-model ! ! ip cef no ip dhcp use vrf connected ! no ip domain lookup ip domain name CarolinaTrace ip inspect name MARATHON cuseeme ip inspect name MARATHON ftp ip inspect name MARATHON h323 ip inspect name MARATHON netshow ip inspect name MARATHON rcmd ip inspect name MARATHON realaudio ip inspect name MARATHON rtsp ip inspect name MARATHON sqlnet ip inspect name MARATHON streamworks ip inspect name MARATHON tftp ip inspect name MARATHON tcp ip inspect name MARATHON udp ip inspect name MARATHON vdolive ip inspect name MARATHON icmp ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! voice-card 0 no dspfarm ! ! ! ! interface Tunnel0 ip address 10.0.1.5 255.255.255.252 ip mtu 1500 tunnel source FastEthernet0/0 tunnel destination 24.216.11.11 ! interface FastEthernet0/0 ip address 24.216.22.16 255.255.255.252 ip access-group 103 in ip nat outside ip inspect MARATHON out ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.67.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 24.216.22.15 ip route 192.168.4.0 255.255.255.0 10.0.1.6 ip route 192.168.5.0 255.255.255.0 10.0.1.6 ip route 192.168.65.0 255.255.255.0 10.0.1.6 ! ! no ip http server no ip http secure-server ip nat inside source static tcp 192.168.67.5 5900 interface FastEthernet0/0 5910 ip nat inside source route-map nonat interface FastEthernet0/0 overload ip nat inside source static tcp 192.168.67.1 22 interface FastEthernet0/0 22 ! access-list 101 permit ip 192.168.67.0 0.0.0.255 any access-list 103 permit udp host 128.138.140.44 any eq ntp access-list 103 permit tcp any any established access-list 103 remark Clubhouse VPN access-list 103 permit ahp host 24.216.11.11 host 24.216.22.16 access-list 103 permit esp host 24.216.11.11 host 24.216.22.16 access-list 103 permit udp host 24.216.11.11 host 24.216.22.16 eq isakmp access-list 103 permit udp host 24.216.11.11 host 24.216.22.16 eq non500-isakmp access-list 103 permit gre host 24.216.11.11 host 24.216.22.16 access-list 103 permit ip host 64.58.20.19 any access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any ! route-map nonat permit 10 match ip address 101 set ip df 0 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login local ! scheduler allocate 20000 1000 ntp clock-period 17180175 ntp source FastEthernet0/0 ntp server 128.138.140.44 ! end
06-12-2018 01:55 PM
Hello,
on your VTY lines configure:
line vty 0 4
login local
transport input telnet ssh
06-12-2018 02:27 PM
Still unable to connect. However as i said before i can connect locally via ssh. any other ideas :)
06-12-2018 02:32 PM
Hello,
try and change your static NAT entry to:
ip nat inside source static tcp 192.168.67.1 22 24.216.22.16 22 extendable
Also, post the output of 'show ip ssh'...
06-12-2018 02:40 PM
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
06-12-2018 03:05 PM
Hello,
is that the entire output ? Do you have a crypto key configured ?
2811(config)#crypto key generate rsa modulus 2048
06-13-2018 05:36 AM
That was the entire output, and i have run that command again to be sure but that was the first thing i had done.
06-13-2018 08:04 AM
Hi!
I don't see any username, have you configured "username xxxx privilege 15 secret yyyyyy"?
HTH
/Mohammed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide