07-29-2018 09:44 PM
Hi,
I just configure SSH v2 on my Cisco 4331 router. and I change my default SSH port. It is working successfully under LAN network. But I can't access the Router using WAN IP from a remote location.
What may be the Problem?
07-29-2018 11:16 PM
hi,
have you applied any VTY ACL?
kindly post a sanitized show run output.
07-29-2018 11:21 PM
Hi Please find my SSH Configuration,
ip ssh time-out 30
ip ssh port 5064 rotary 1
!
!
ip access-list extended Secure-SSH
permit tcp any any eq 5064
line vty 0 4
access-class Secure-SSH in
exec-timeout 30 0
login local
rotary 1
transport input telnet ssh
transport output none
07-29-2018 11:32 PM
hi,
can you try:
line vty 0 4
no access-class Secure-SSH in
no ip access-list extended Secure-SSH
ip access-list extended Secure-SSH
deny tcp any any eq 22
permit tcp any any eq 5064
line vty 0 4
access-class Secure-SSH in
07-30-2018 12:28 AM
Hi,
Still not working! But it is working from default port. If I apply the access list which one used for change the default port, ssh not working :(
Connection timeout shows on putty !!
Error: "Network Error: Connection timed out!"
07-30-2018 12:36 AM
hi,
could you check if VTY lines are full?
use a show line or show user and free up SSH/VTY sessions using the clear line vty <NUMBER> command.
07-30-2018 01:54 AM
No problem there.
07-30-2018 08:45 AM - edited 07-30-2018 08:46 AM
Hello
just for testing can you remove the acl and rotary and test connection
if that works apply back the rotary and test via port 3001. - telnet/ssh xxxx 3001
res
paul
07-29-2018 11:33 PM
You might want to check out your static nat.
Maybe the static nat still had the old port configured
07-30-2018 12:30 AM
No there is no problem with NAT.
07-30-2018 03:46 AM
would you mind sharing the whole config? or enable the verbose option on ssh?
03-18-2021 07:35 PM
We had this exact issue & it was NAT. NAT was working, maybe a little too well.
TL;DR:
We had a 'permit ip any any' for our NAT outbound overload - this was the issue. We had to explicitly permit the inside networks in the NAT access-list & then have a 'deny ip any any' at the bottom. After we did this, we were able to SSH to the WAN interface (the 'ip nat outside' configured interface). Note that we tried to exclude the incoming IP etc. from NAT but that did not work. This was our working config in the end (make sure you apply security policy to your router for security reasons):
ip access-list extended ACL-NAT
remark DO NOT ADD "log" TO ANY ACE IN THIS ACL, IT WILL CAUSE NAT FAILURE
permit ip host lo.lo.lo.lo any <<< Loopback interface
permit ip 10.1.1.0 0.0.0.255 any <<< LAN Data subnet
permit ip a.a.a.a m.m.m.m any <<< Other subnet that needs internet
deny ip any any <<< explicit DENY anything else
ip nat inside source list ACL-NAT interface Dialer1 overload
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide