SSH can not access from wan Cisco 4331 Router

akhil.s · ‎07-29-2018

Hi,

I just configure SSH v2 on my Cisco 4331 router. and I change my default SSH port. It is working successfully under LAN network. But I can't access the Router using WAN IP from a remote location.

What may be the Problem?

johnlloyd_13 · ‎07-29-2018

hi,

have you applied any VTY ACL?

kindly post a sanitized show run output.

akhil.s · ‎07-29-2018

Hi Please find my SSH Configuration,

ip ssh time-out 30
ip ssh port 5064 rotary 1
!
!
ip access-list extended Secure-SSH
permit tcp any any eq 5064

line vty 0 4
access-class Secure-SSH in
exec-timeout 30 0
login local
rotary 1
transport input telnet ssh
transport output none

johnlloyd_13 · ‎07-29-2018

hi,

can you try:

line vty 0 4
no access-class Secure-SSH in

no ip access-list extended Secure-SSH

ip access-list extended Secure-SSH
deny tcp any any eq 22
permit tcp any any eq 5064

line vty 0 4
access-class Secure-SSH in

akhil.s · ‎07-30-2018

Hi,

Still not working! But it is working from default port. If I apply the access list which one used for change the default port, ssh not working :(

Connection timeout shows on putty !!

Error: "Network Error: Connection timed out!"

johnlloyd_13 · ‎07-30-2018

hi,

could you check if VTY lines are full?

use a show line or show user and free up SSH/VTY sessions using the clear line vty <NUMBER> command.

akhil.s · ‎07-30-2018

No problem there.

paul driver · ‎07-30-2018

Hello

just for testing can you remove the acl and rotary and test connection

if that works apply back the rotary and test via port 3001. - telnet/ssh xxxx 3001

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vince · ‎07-29-2018

You might want to check out your static nat.

Maybe the static nat still had the old port configured

akhil.s · ‎07-30-2018

No there is no problem with NAT.

Vince · ‎07-30-2018

would you mind sharing the whole config? or enable the verbose option on ssh?

crazycatman · ‎03-18-2021

We had this exact issue & it was NAT. NAT was working, maybe a little too well.

https://community.cisco.com/t5/routing/unable-to-ssh-to-wan-dialer-ip-of-isr4k-when-nat-is-enabled/m-p/4309510#M348617

TL;DR:

We had a 'permit ip any any' for our NAT outbound overload - this was the issue. We had to explicitly permit the inside networks in the NAT access-list & then have a 'deny ip any any' at the bottom. After we did this, we were able to SSH to the WAN interface (the 'ip nat outside' configured interface). Note that we tried to exclude the incoming IP etc. from NAT but that did not work. This was our working config in the end (make sure you apply security policy to your router for security reasons):

ip access-list extended ACL-NAT
 remark DO NOT ADD "log" TO ANY ACE IN THIS ACL, IT WILL CAUSE NAT FAILURE
 permit ip host lo.lo.lo.lo any      <<< Loopback interface
 permit ip 10.1.1.0 0.0.0.255 any    <<< LAN Data subnet
 permit ip a.a.a.a m.m.m.m any       <<< Other subnet that needs internet
 deny   ip any any                   <<< explicit DENY anything else

ip nat inside source list ACL-NAT interface Dialer1 overload