cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3247
Views
5
Helpful
11
Replies

SSH can not access from wan Cisco 4331 Router

akhil.s
Beginner
Beginner

Hi,

 

I just configure SSH v2 on my Cisco 4331 router. and I change my default SSH port. It is working successfully under LAN network. But I can't access the Router using WAN IP from a remote location.

What may be the Problem?

 

 

 

11 Replies 11

johnlloyd_13
Engager
Engager

hi,

have you applied any VTY ACL?

kindly post a sanitized show run output.

Hi Please find my SSH Configuration,

 

ip ssh time-out 30
ip ssh port 5064 rotary 1
!
!
ip access-list extended Secure-SSH
permit tcp any any eq 5064

 

line vty 0 4
access-class Secure-SSH in
exec-timeout 30 0
login local
rotary 1
transport input telnet ssh
transport output none

hi,

can you try:

 

line vty 0 4
 no access-class Secure-SSH in


no ip access-list extended Secure-SSH

ip access-list extended Secure-SSH
 deny tcp any any eq 22
 permit tcp any any eq 5064

line vty 0 4
 access-class Secure-SSH in

Hi,

Still not working! But it is working from default port. If I apply the access list which one used for change the default port, ssh not working :(

 

Connection timeout shows on putty !!

 

Error: "Network Error: Connection timed out!"

hi,

could you check if VTY lines are full?

use a show line or show user and free up SSH/VTY sessions using the clear line vty <NUMBER> command.

No problem there. 

Hello

just for testing can you remove the acl and rotary and test connection

 

if that works apply back the rotary and test via port 3001. -  telnet/ssh xxxx 3001

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vince
Beginner
Beginner

You might want to check out your static nat.

Maybe the static nat still had the old port configured

No there is no problem with NAT.

would you mind sharing the whole config? or enable the verbose option on ssh?

We had this exact issue & it was NAT. NAT was working, maybe a little too well.

https://community.cisco.com/t5/routing/unable-to-ssh-to-wan-dialer-ip-of-isr4k-when-nat-is-enabled/m-p/4309510#M348617

TL;DR:

We had a 'permit ip any any' for our NAT outbound overload - this was the issue. We had to explicitly permit the inside networks in the NAT access-list & then have a 'deny ip any any' at the bottom. After we did this, we were able to SSH to the WAN interface (the 'ip nat outside' configured interface). Note that we tried to exclude the incoming IP etc. from NAT but that did not work. This was our working config in the end (make sure you apply security policy to your router for security reasons):

ip access-list extended ACL-NAT
 remark DO NOT ADD "log" TO ANY ACE IN THIS ACL, IT WILL CAUSE NAT FAILURE
 permit ip host lo.lo.lo.lo any      <<< Loopback interface
 permit ip 10.1.1.0 0.0.0.255 any    <<< LAN Data subnet
 permit ip a.a.a.a m.m.m.m any       <<< Other subnet that needs internet
 deny   ip any any                   <<< explicit DENY anything else

ip nat inside source list ACL-NAT interface Dialer1 overload

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers