SSH can not access from wan Cisco 4331 Router
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2018 09:44 PM
Hi,
I just configure SSH v2 on my Cisco 4331 router. and I change my default SSH port. It is working successfully under LAN network. But I can't access the Router using WAN IP from a remote location.
What may be the Problem?
- Labels:
-
WAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2018 11:16 PM
hi,
have you applied any VTY ACL?
kindly post a sanitized show run output.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2018 11:21 PM
Hi Please find my SSH Configuration,
ip ssh time-out 30
ip ssh port 5064 rotary 1
!
!
ip access-list extended Secure-SSH
permit tcp any any eq 5064
line vty 0 4
access-class Secure-SSH in
exec-timeout 30 0
login local
rotary 1
transport input telnet ssh
transport output none
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2018 11:32 PM
hi,
can you try:
line vty 0 4
no access-class Secure-SSH in
no ip access-list extended Secure-SSH
ip access-list extended Secure-SSH
deny tcp any any eq 22
permit tcp any any eq 5064
line vty 0 4
access-class Secure-SSH in
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2018 12:28 AM
Hi,
Still not working! But it is working from default port. If I apply the access list which one used for change the default port, ssh not working :(
Connection timeout shows on putty !!
Error: "Network Error: Connection timed out!"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2018 12:36 AM
hi,
could you check if VTY lines are full?
use a show line or show user and free up SSH/VTY sessions using the clear line vty <NUMBER> command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2018 01:54 AM
No problem there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2018 08:45 AM - edited 07-30-2018 08:46 AM
Hello
just for testing can you remove the acl and rotary and test connection
if that works apply back the rotary and test via port 3001. - telnet/ssh xxxx 3001
res
paul
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2018 11:33 PM
You might want to check out your static nat.
Maybe the static nat still had the old port configured
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2018 12:30 AM
No there is no problem with NAT.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2018 03:46 AM
would you mind sharing the whole config? or enable the verbose option on ssh?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2021 07:35 PM
We had this exact issue & it was NAT. NAT was working, maybe a little too well.
TL;DR:
We had a 'permit ip any any' for our NAT outbound overload - this was the issue. We had to explicitly permit the inside networks in the NAT access-list & then have a 'deny ip any any' at the bottom. After we did this, we were able to SSH to the WAN interface (the 'ip nat outside' configured interface). Note that we tried to exclude the incoming IP etc. from NAT but that did not work. This was our working config in the end (make sure you apply security policy to your router for security reasons):
ip access-list extended ACL-NAT
remark DO NOT ADD "log" TO ANY ACE IN THIS ACL, IT WILL CAUSE NAT FAILURE
permit ip host lo.lo.lo.lo any <<< Loopback interface
permit ip 10.1.1.0 0.0.0.255 any <<< LAN Data subnet
permit ip a.a.a.a m.m.m.m any <<< Other subnet that needs internet
deny ip any any <<< explicit DENY anything else
ip nat inside source list ACL-NAT interface Dialer1 overload
