Solved: Re: ISR C1111 SSH Problem - Page 2

Network_Newbie · ‎10-17-2020

Hi All,

I am configuring my brand new ISR c1111 router functioning as network gateway. I use LTE as the WAN side connection. Upon activation and configuration of the LTE module with SIM inserted, I am able to access to Internet from the LAN side through LTE signal successfully. However, I can't ping that ip address of that sim card from the outside. Also, I fail to ssh to c1111 through LTE WAN. Please have a look at my current configuration. I have no idea where the problem is. Thanks in advance.

==================================

Router#show running-config
Building configuration...

Current configuration : 4675 bytes
!
! Last configuration change at 22:46:42 UTC Sat Oct 17 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$AXtY$q0fU6CgXNqsulSnuzF/OU1
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
ip nbar http-services
!
ip name-server 10.30.23.130 10.30.23.131
ip domain name shunhinggroup.com
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.1.0
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-4123553526
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4123553526
revocation-check none
rsakeypair TP-self-signed-4123553526
!
!
crypto pki certificate chain TP-self-signed-4123553526
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313233 35353335 3236301E 170D3230 31303136 31353030
33395A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323335
35333532 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100E56D 21FA614D C75B7B6D A6F6FB24 D1A1F6FA 84C8AE94 F4E8942E
FC885904 2DC01E9B BA41E54E 2DADD89E 1B6A57B5 C1BF878E 6B9B71DA 19395A9F
5C1640AF D369685A 4A29E756 7F5E7BEA 13720F3E AB0DD250 F8A55974 713B1F14
B6FDE3AD 47FEA8C1 66129616 AEAC2C6B BDD789FE 70E5F6F3 8843CBD1 EA3E65A7
8881B387 D79E20D0 684B379A DAEDCD1D AA65195E F254F8E8 D570CEF2 7C3F3E87
6B4C3FE3 70060BB9 FE3B677E C0723801 1CF89ADB 7B6BFF2E 09D126C0 D64C8F4D
FC7A30E3 5818D7A8 D346AA33 2EF0367A 91D104C2 FEA90925 E61D3A57 5D7A9FAD
7DD0E88C A685B04C 27D02DE5 44EC6DAA 79C5F969 3C1DF1B7 3B01DB80 B828D2E6
20E77154 99F10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 149F23CC 59CFDFF8 D99BE786 CD37C3B8 78F40C6E
CB301D06 03551D0E 04160414 9F23CC59 CFDFF8D9 9BE786CD 37C3B878 F40C6ECB
300D0609 2A864886 F70D0101 05050003 82010100 7D1686DA 19683919 2D2E24EF
8B4CDD79 D0751272 86502E21 04827380 239847F3 608CCFC4 C871864E 52212A81
BE297015 5D314E5F 0A8060FC 9BF9276A D160E4A7 465DB330 842E146D 766C234A
50DA3AF1 764C570C 054E6B51 85CE2428 97395647 C7FC662B 7CF439DF F42131AD
D73492D6 2D465A3A 2EF7D776 7C0BBC5D 91D465CE 5277D8F5 49CE9B67 4D905476
CD639FCD 03373AD5 E70E47EB 16CAC2BD D74EE5E8 0D13E093 8C7D9ECB FE69CC97
AA209D8F 9D4BC1E0 413BFEB7 92E5DF64 1694D0C1 1A4C6C83 93682311 D05F60EB
E3229B27 2B69DCF1 577B7469 C74CA160 1EAC38DD 9378D0C3 946A6301 1DC54477
ECF6E985 BD0455A6 4F73B113 8AC936EE A03CCE67
quit
!
license udi pid C1111-4PLTELA sn FGL2437LB6P
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$EhLb$S/3MIB4Xc3wy3eByj29Z0/
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
profile id 1 apn vpnfix authentication none pdn-type ipv4
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description Primary_
ip address negotiated
ip nbar protocol-discovery
ip nat outside
dialer in-band
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 197 interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
!
ip access-list extended 197
permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
transport input ssh

Network_Newbie · ‎10-19-2020

Hello Paul,

Thank you for your help. My ISP does block icmp protocol which causes the failure of ping of sim card IP. As for the ssh access, I am able to ssh to that ISR router successfully with my original configuration. Thank you Sir.

paul driver · ‎10-20-2020

Hello

"I am able to ssh to that ISR router successfully with my original configuration"
Just like to highlight two things with that original configuration:
1) NAT/PAT doesn’t like access-lists it relates to with a "any any" as anomalies can occur in translation, So its recommended to be as specific as possible regards when a host/network requires translation with the access-list
2) Going forward you may require other devices to be accessible via ssh/telnet etc and as such it won’t work in its current as there is no definitive static entry for additional host to translate against, So it best to add static entries for host-host PAT as i shown you in my previous post

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Network_Newbie · ‎10-20-2020

Hello Paul,

1) "NAT/PAT doesn’t like access-lists it relates to with a "any any" as anomalies can occur in translation, So its recommended to be as specific as possible regards when a host/network requires translation with the access-list"

Totally agreed with you. My running config is as below

!

access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!

2) "Going forward you may require other devices to be accessible via ssh/telnet etc and as such it won’t work in its current as there is no definitive static entry for additional host to translate against, So it best to add static entries for host-host PAT as i shown you in my previous post"

To get access to different devices resided in the LAN side with ssh, my solution is to get ssh to that ISR router first and then ssh to different LAN side devices. I do configure PAT for the Web access of different devices in the LAN.

!

ip nat inside source static tcp 192.168.1.10 2810 interface Cellular0/2/0 2810
ip nat inside source static tcp 192.168.1.20 2820 interface Cellular0/2/0 2820

!

Georg Pauwen · ‎10-18-2020

Hello,

try domainless NAT (lines marked in bold), not sure if that makes a difference.

Current configuration : 4675 bytes
!
! Last configuration change at 22:46:42 UTC Sat Oct 17 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$AXtY$q0fU6CgXNqsulSnuzF/OU1
!
aaa new-model
!
aaa session-id common
!
ip nbar http-services
!
ip name-server 10.30.23.130 10.30.23.131
ip domain name shunhinggroup.com
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.1.0
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4123553526
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4123553526
revocation-check none
rsakeypair TP-self-signed-4123553526
!
crypto pki certificate chain TP-self-signed-4123553526
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313233 35353335 3236301E 170D3230 31303136 31353030
33395A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323335
35333532 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100E56D 21FA614D C75B7B6D A6F6FB24 D1A1F6FA 84C8AE94 F4E8942E
FC885904 2DC01E9B BA41E54E 2DADD89E 1B6A57B5 C1BF878E 6B9B71DA 19395A9F
5C1640AF D369685A 4A29E756 7F5E7BEA 13720F3E AB0DD250 F8A55974 713B1F14
B6FDE3AD 47FEA8C1 66129616 AEAC2C6B BDD789FE 70E5F6F3 8843CBD1 EA3E65A7
8881B387 D79E20D0 684B379A DAEDCD1D AA65195E F254F8E8 D570CEF2 7C3F3E87
6B4C3FE3 70060BB9 FE3B677E C0723801 1CF89ADB 7B6BFF2E 09D126C0 D64C8F4D
FC7A30E3 5818D7A8 D346AA33 2EF0367A 91D104C2 FEA90925 E61D3A57 5D7A9FAD
7DD0E88C A685B04C 27D02DE5 44EC6DAA 79C5F969 3C1DF1B7 3B01DB80 B828D2E6
20E77154 99F10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 149F23CC 59CFDFF8 D99BE786 CD37C3B8 78F40C6E
CB301D06 03551D0E 04160414 9F23CC59 CFDFF8D9 9BE786CD 37C3B878 F40C6ECB
300D0609 2A864886 F70D0101 05050003 82010100 7D1686DA 19683919 2D2E24EF
8B4CDD79 D0751272 86502E21 04827380 239847F3 608CCFC4 C871864E 52212A81
BE297015 5D314E5F 0A8060FC 9BF9276A D160E4A7 465DB330 842E146D 766C234A
50DA3AF1 764C570C 054E6B51 85CE2428 97395647 C7FC662B 7CF439DF F42131AD
D73492D6 2D465A3A 2EF7D776 7C0BBC5D 91D465CE 5277D8F5 49CE9B67 4D905476
CD639FCD 03373AD5 E70E47EB 16CAC2BD D74EE5E8 0D13E093 8C7D9ECB FE69CC97
AA209D8F 9D4BC1E0 413BFEB7 92E5DF64 1694D0C1 1A4C6C83 93682311 D05F60EB
E3229B27 2B69DCF1 577B7469 C74CA160 1EAC38DD 9378D0C3 946A6301 1DC54477
ECF6E985 BD0455A6 4F73B113 8AC936EE A03CCE67
quit
!
license udi pid C1111-4PLTELA sn FGL2437LB6P
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$EhLb$S/3MIB4Xc3wy3eByj29Z0/
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
profile id 1 apn vpnfix authentication none pdn-type ipv4
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description Primary_
ip address negotiated
ip nbar protocol-discovery
--> ip nat enable
dialer in-band
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
--> ip nat enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
--> ip nat source list 1 interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
transport input ssh