Solved: Re: ISR C1111 SSH Problem

Network_Newbie · ‎10-17-2020

Hi All,

I am configuring my brand new ISR c1111 router functioning as network gateway. I use LTE as the WAN side connection. Upon activation and configuration of the LTE module with SIM inserted, I am able to access to Internet from the LAN side through LTE signal successfully. However, I can't ping that ip address of that sim card from the outside. Also, I fail to ssh to c1111 through LTE WAN. Please have a look at my current configuration. I have no idea where the problem is. Thanks in advance.

==================================

Router#show running-config
Building configuration...

Current configuration : 4675 bytes
!
! Last configuration change at 22:46:42 UTC Sat Oct 17 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$AXtY$q0fU6CgXNqsulSnuzF/OU1
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
ip nbar http-services
!
ip name-server 10.30.23.130 10.30.23.131
ip domain name shunhinggroup.com
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.1.0
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-4123553526
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4123553526
revocation-check none
rsakeypair TP-self-signed-4123553526
!
!
crypto pki certificate chain TP-self-signed-4123553526
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313233 35353335 3236301E 170D3230 31303136 31353030
33395A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323335
35333532 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100E56D 21FA614D C75B7B6D A6F6FB24 D1A1F6FA 84C8AE94 F4E8942E
FC885904 2DC01E9B BA41E54E 2DADD89E 1B6A57B5 C1BF878E 6B9B71DA 19395A9F
5C1640AF D369685A 4A29E756 7F5E7BEA 13720F3E AB0DD250 F8A55974 713B1F14
B6FDE3AD 47FEA8C1 66129616 AEAC2C6B BDD789FE 70E5F6F3 8843CBD1 EA3E65A7
8881B387 D79E20D0 684B379A DAEDCD1D AA65195E F254F8E8 D570CEF2 7C3F3E87
6B4C3FE3 70060BB9 FE3B677E C0723801 1CF89ADB 7B6BFF2E 09D126C0 D64C8F4D
FC7A30E3 5818D7A8 D346AA33 2EF0367A 91D104C2 FEA90925 E61D3A57 5D7A9FAD
7DD0E88C A685B04C 27D02DE5 44EC6DAA 79C5F969 3C1DF1B7 3B01DB80 B828D2E6
20E77154 99F10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 149F23CC 59CFDFF8 D99BE786 CD37C3B8 78F40C6E
CB301D06 03551D0E 04160414 9F23CC59 CFDFF8D9 9BE786CD 37C3B878 F40C6ECB
300D0609 2A864886 F70D0101 05050003 82010100 7D1686DA 19683919 2D2E24EF
8B4CDD79 D0751272 86502E21 04827380 239847F3 608CCFC4 C871864E 52212A81
BE297015 5D314E5F 0A8060FC 9BF9276A D160E4A7 465DB330 842E146D 766C234A
50DA3AF1 764C570C 054E6B51 85CE2428 97395647 C7FC662B 7CF439DF F42131AD
D73492D6 2D465A3A 2EF7D776 7C0BBC5D 91D465CE 5277D8F5 49CE9B67 4D905476
CD639FCD 03373AD5 E70E47EB 16CAC2BD D74EE5E8 0D13E093 8C7D9ECB FE69CC97
AA209D8F 9D4BC1E0 413BFEB7 92E5DF64 1694D0C1 1A4C6C83 93682311 D05F60EB
E3229B27 2B69DCF1 577B7469 C74CA160 1EAC38DD 9378D0C3 946A6301 1DC54477
ECF6E985 BD0455A6 4F73B113 8AC936EE A03CCE67
quit
!
license udi pid C1111-4PLTELA sn FGL2437LB6P
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$EhLb$S/3MIB4Xc3wy3eByj29Z0/
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
profile id 1 apn vpnfix authentication none pdn-type ipv4
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description Primary_
ip address negotiated
ip nbar protocol-discovery
ip nat outside
dialer in-band
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 197 interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
!
ip access-list extended 197
permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
transport input ssh

Georg Pauwen · ‎10-18-2020

Hello,

that's what I was thinking, maybe the ISP (Smartone) is blocking it. Would be worth checking with them...

View solution in original post

MHM Cisco World · ‎10-17-2020

Vty

Login local <-- if the passowrd is local

Georg Pauwen · ‎10-17-2020

Hello,

try and change the access list:

--> ip nat inside source list 197 interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
--> ip access-list extended 197
permit ip any any

to

--> ip nat inside source list 1 interface Cellular0/2/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255

Network_Newbie · ‎10-17-2020

Hello Georg,

Thank you for your help. I changed the access list configuration according to your suggestion. But the problem still exists. Everything is normal as I have access to the internet from the LAN side of c1111. To my understanding, at the very least, I am supposed to ping the public IP of that sim card from the outside. Do I need to add the specific access list for the inbound icmp traffic to c1111? Same case to the SSH access, does it require access list to allow inbound traffic to port 22? Thank you Sir.

Georg Pauwen · ‎10-18-2020

Hello,

in theory, you should be able to ping your LTE address by default. For SSH access, all you need is 'transport input ssh' on the VTY lines (and some sort of authentication).

I don't know where you are pinging from, but what is the result of a traceroute to your public IP address ?

Network_Newbie · ‎10-18-2020

Hello

I am using Smartone network. The traceroute result turns out that the IP where it stops tracking is from the network operator Smartone. Is it possible that mobile network operator does not allow icmp traffic (ping) and ssh connection? Thanks

Georg Pauwen · ‎10-18-2020

Hello,

that's what I was thinking, maybe the ISP (Smartone) is blocking it. Would be worth checking with them...

Network_Newbie · ‎10-19-2020

Hello Georg,

It turns out that ISP does block the icmp protocol for the security concern. That being said, I am able to ssh to that ISR router with the same set of configuration. The root cause might be due to unstable LTE signal. Anyway, thank you for your help and great suggestion. Thank you Sir

Georg Pauwen · ‎10-18-2020

Hello,

SmartOne is a Hong Kong provider, right ? Are you actually in Hong Kong ?

Richard Burts · ‎10-18-2020

@MHM Cisco World suggests adding login local to the vty. But since the configuration already has aaa new-model then the default authentication is already to use locally configured ID and password and login local is superfluous and would be ignored.

I have seen issues with trying to access outside interfaces where nat is configured with an extended access list which specifies any as the destination. I would support the suggestion to configure nat to use a standard access list which permits the local network.

Are we sure that SSH is correctly enabled on this device? Can we see the output of the command show ip ssh

HTH

Rick

Georg Pauwen · ‎10-18-2020

The reason I was asking about OP's location is because I have a feeling that this could be related to restrictions enforced by China's Great Firewall. They block all sorts of traffic (e.g. it was reported recently that China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI. The block was put in place at the end of July and is enforced via China’s Great Firewall.) And since SSH is encrypted traffic, that might be included.

Network_Newbie · ‎10-20-2020

Hello Richard,

Your input regarding "login local" with aaa new-model is pretty informative to me. And I am totally on the same page with you about the use of standard access list for the nat configuration. Thank you for your reply and suggestion. The problem has been solved.

paul driver · ‎10-18-2020

Hello

You don't require icmp echo/replys to obtain ssh connection

Try the following:
no ip access-list extended 197
ip access-list extended 197
permit ip 192.168.1.0 0.0.255 any

ip nat inside source static tcp 192.168.1.1 22 interface Cellular0/2/0 22

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Network_Newbie · ‎10-18-2020

Hello Paul,

Thank you for your reply. As I tried "ip nat inside source static tcp 192.168.1.1 22 interface Cellular0/2/0 22"

The following error messages are seen

%Port 22 is being used by system"

paul driver · ‎10-18-2020

Hello

Just try another port
ip nat inside source static tcp 192.168.1.1 22 interface Cellular0/2/0 2222

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul