cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4109
Views
5
Helpful
10
Replies

SSH Connection to a server behind nat cisco

dogiiibih
Level 1
Level 1

Hello guys...

I realy need some help with the following. 

I have a newly installed CENTOS server and i need to be able to access the server from an outside PUBLIC ip adress like (for example) 212.16.0.1 yet i can not seem to get it working i tried a lot of configurations but it still does not work so i reverted back to the first config i did for the 

server. I also used 9922 port instead of 22 FOR LISTENING as for security reasons.

Any help would be appreciated...thanks a bunch!


!
interface GigabitEthernet0/0
description Internet_ISP1_Main
ip address aa.bb.cc.dd 255.255.255.252
no ip proxy-arp
ip nat outside
ip virtual-reassembly in max-fragments 16 max-reassemblies 64 timeout 5
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description Internet_ISP2_Back-up
ip address aa.bb.cc.ee 255.255.255.248
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/2
ip address 192.168.104.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFIL
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
!
ip local pool SDM_POOL_1 192.168.179.10 192.168.179.25
ip local pool VPN-POOL 192.168.104.100 192.168.104.105
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip flow-export source GigabitEthernet0/0
ip flow-export version 9
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 1800000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_3 pool MAIL
ip nat inside source route-map SDM_RMAP_4 pool DC1-VISOKO
ip nat inside source static tcp 10.10.200.14 2014 aa.bb.cc.dd 2014 extendable
ip nat inside source static udp 10.10.200.14 5060 aa.bb.cc.dd 5060 extendable
ip nat inside source static tcp 10.10.200.14 8015 aa.bb.cc.dd 8015 extendable
ip nat inside source static tcp 192.168.104.34 22 GigabitEthernet0/0 9922 extendable
ip route 0.0.0.0 0.0.0.0 aa.bb.cc.dd track 2
ip route 0.0.0.0 0.0.0.0 aa.bb.cc.ee
ip route 10.10.0.0 255.255.240.0 GigabitEthernet0/2
ip route 10.10.0.0 255.255.240.0 192.168.104.1
ip route 10.10.200.12 255.255.255.252 GigabitEthernet0/2
ip route 10.10.200.12 255.255.255.252 192.168.104.1
ip route 192.168.104.0 255.255.255.0 GigabitEthernet0/2
!
ip access-list extended EX-ACL-Na
remark CCP_ACL Category=2
permit tcp any any eq 22
deny ip 192.168.104.0 0.0.0.255 172.16.9.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 10.10.252.0 0.0.3.255
deny ip 10.10.0.0 0.0.15.255 10.10.252.0 0.0.3.255
deny ip host 192.168.104.22 any
deny ip 192.168.103.0 0.0.0.255 192.168.20.0 0.0.3.255
remark IPSec Rule
deny ip 192.168.104.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 10.10.0.0 0.0.15.255 192.168.20.0 0.0.3.255
deny ip 192.168.103.0 0.0.0.255 192.168.115.0 0.0.0.255
remark IPSec Rule
deny ip 192.168.104.0 0.0.0.255 192.168.115.0 0.0.0.255
remark IPSec Rule
deny ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 10.202.0.0 0.0.255.255
deny ip 192.168.104.0 0.0.0.255 10.202.0.0 0.0.255.255
deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 10.10.16.0 0.0.15.255
deny ip 192.168.103.0 0.0.0.255 10.10.16.0 0.0.15.255
deny ip 10.10.0.0 0.0.15.255 10.10.16.0 0.0.15.255
deny ip 10.10.0.0 0.0.15.255 192.168.101.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.1.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.117.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.117.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.117.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.102.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.115.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 10.202.0.0 0.0.255.255
deny ip 192.168.103.0 0.0.0.255 10.10.96.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 10.10.96.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 10.10.96.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 10.10.98.0 0.0.1.255
deny ip 192.168.104.0 0.0.0.255 10.10.98.0 0.0.1.255
deny ip 10.10.0.0 0.0.15.255 10.10.98.0 0.0.1.255
deny ip 192.168.104.0 0.0.0.255 host 172.16.9.10
deny ip 192.168.104.0 0.0.0.255 host 172.16.9.31
deny ip 192.168.104.0 0.0.0.255 172.16.9.32 0.0.0.7
permit ip 192.168.104.0 0.0.0.255 any
permit ip 192.168.103.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.15.255 any
permit ip 192.168.99.0 0.0.0.255 any
permit ip 10.10.200.12 0.0.0.3 any
remark IPSec Rule
deny ip 192.168.104.0 0.0.0.255 10.0.0.0 0.0.255.255
deny ip 10.10.0.0 0.0.15.255 10.0.0.0 0.0.255.255
ip access-list extended MAILOUT
remark CCP_ACL Category=16
deny ip 10.10.0.0 0.0.15.255 192.168.102.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
remark IPSec Rule
deny ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.115.0 0.0.0.255
remark IPSec Rule
deny ip 192.168.104.0 0.0.0.255 192.168.115.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.20.0 0.0.3.255
deny ip 192.168.103.0 0.0.0.255 192.168.20.0 0.0.3.255
remark IPSec Rule
deny ip 192.168.104.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 10.10.0.0 0.0.15.255 10.202.0.0 0.0.255.255
deny ip 192.168.104.0 0.0.0.255 10.202.0.0 0.0.255.255
deny ip 192.168.103.0 0.0.0.255 10.202.0.0 0.0.255.255
deny ip 10.10.0.0 0.0.15.255 10.10.16.0 0.0.15.255
deny ip 192.168.104.0 0.0.0.255 10.10.16.0 0.0.15.255
deny ip 192.168.103.0 0.0.0.255 10.10.16.0 0.0.15.255
deny ip 10.10.0.0 0.0.15.255 192.168.101.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.117.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.117.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.117.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 192.168.1.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.10.0.0 0.0.15.255 10.10.96.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 10.10.96.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 10.10.96.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 172.16.9.0 0.0.0.255
deny ip host 192.168.104.22 192.168.102.0 0.0.0.255
deny ip host 192.168.104.22 192.168.115.0 0.0.0.255
deny ip host 192.168.104.22 192.168.101.0 0.0.0.255
deny ip host 192.168.104.22 10.202.0.0 0.0.255.255
deny ip host 192.168.104.22 192.168.1.0 0.0.0.255
deny ip host 192.168.104.22 192.168.117.0 0.0.0.255
deny ip host 192.168.104.22 10.10.16.0 0.0.15.255
permit ip host 192.168.104.22 any
ip access-list extended SPLIT-TUNNEL-ACL
permit ip 192.168.104.0 0.0.0.255 192.168.104.0 0.0.0.255
ip access-list extended dc1-visoko
deny ip host 192.168.104.27 192.168.101.0 0.0.0.255
deny ip host 192.168.104.27 192.168.102.0 0.0.0.255
deny ip host 192.168.104.27 192.168.115.0 0.0.0.255
deny ip host 192.168.104.27 10.202.0.0 0.0.255.255
deny ip host 192.168.104.27 192.168.1.0 0.0.0.255
deny ip host 192.168.104.27 192.168.117.0 0.0.0.255
deny ip host 192.168.104.27 10.10.96.0 0.0.0.255
deny ip host 192.168.104.27 10.10.16.0 0.0.15.255
permit ip host 192.168.104.27 any
ip access-list extended exchange
deny ip host 192.168.104.22 192.168.102.0 0.0.0.255
deny ip host 192.168.104.22 192.168.115.0 0.0.0.255
deny ip host 192.168.104.22 10.202.0.0 0.0.255.255
deny ip host 192.168.104.22 192.168.101.0 0.0.0.255
deny ip host 192.168.104.22 192.168.1.0 0.0.0.255
deny ip host 192.168.104.22 192.168.117.0 0.0.0.255
deny ip host 192.168.104.22 192.168.108.0 0.0.0.255
deny ip host 192.168.104.22 10.10.16.0 0.0.15.255
permit ip host 192.168.104.22 any
!
!
route-map exchange permit 10
match ip address exchange
!
route-map dc1-visoko permit 10
match ip address dc1-visoko
!
route-map SDM_RMAP_4 permit 1
match ip address dc1-visoko
!
route-map SDM_RMAP_1 permit 1
match ip address EX-ACL-Na
match interface GigabitEthernet0/0
!
route-map SDM_RMAP_2 permit 1
match ip address EX-ACL-Na
match interface GigabitEthernet0/1
!
route-map SDM_RMAP_3 permit 1
match ip address MAILOUT
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 permit ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.15.255 192.168.102.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.104.0 0.0.0.255 192.168.115.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.15.255 192.168.115.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.20.0 0.0.3.255
access-list 102 permit ip 192.168.103.0 0.0.0.255 192.168.20.0 0.0.3.255
access-list 102 permit ip 10.10.0.0 0.0.15.255 192.168.20.0 0.0.3.255
access-list 102 permit ip 192.168.104.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 102 permit ip 10.10.0.0 0.0.15.255 10.0.0.0 0.0.255.255
access-list 103 permit ip 192.168.103.0 0.0.0.255 10.202.0.0 0.0.255.255
access-list 103 permit ip 192.168.104.0 0.0.0.255 10.202.0.0 0.0.255.255
access-list 103 permit ip 10.10.0.0 0.0.15.255 10.202.0.0 0.0.255.255
access-list 104 permit ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 104 permit ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 104 permit ip 10.10.0.0 0.0.15.255 192.168.101.0 0.0.0.255
access-list 104 permit ip 192.168.103.0 0.0.0.255 10.10.16.0 0.0.15.255
access-list 104 permit ip 192.168.104.0 0.0.0.255 10.10.16.0 0.0.15.255
access-list 104 permit ip 10.10.0.0 0.0.15.255 10.10.16.0 0.0.15.255
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip 192.168.104.0 0.0.0.255 any
access-list 109 permit ip 192.168.103.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 109 permit ip 192.168.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 109 permit ip 10.10.0.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 109 permit ip 192.168.103.0 0.0.0.255 192.168.117.0 0.0.0.255
access-list 109 permit ip 192.168.104.0 0.0.0.255 192.168.117.0 0.0.0.255
access-list 109 permit ip 10.10.0.0 0.0.15.255 192.168.117.0 0.0.0.255
access-list 109 permit ip 192.168.103.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 109 permit ip 192.168.104.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 111 permit ip 192.168.104.0 0.0.0.255 172.16.9.0 0.0.0.255
access-list 112 permit ip 192.168.104.0 0.0.0.255 10.10.252.0 0.0.3.255
access-list 112 permit ip 10.10.0.0 0.0.15.255 10.10.252.0 0.0.3.255
access-list 196 permit ip 192.168.104.0 0.0.0.255 10.10.96.0 0.0.0.255
access-list 196 permit ip 192.168.103.0 0.0.0.255 10.10.96.0 0.0.0.255
access-list 196 permit ip 10.10.0.0 0.0.15.255 10.10.96.0 0.0.0.255
access-list 197 permit ip 192.168.104.0 0.0.0.255 10.10.97.0 0.0.0.255
access-list 197 permit ip 192.168.103.0 0.0.0.255 10.10.97.0 0.0.0.255
access-list 197 permit ip 10.10.0.0 0.0.15.255 10.10.97.0 0.0.0.255
access-list 198 permit ip 192.168.104.0 0.0.0.255 10.10.98.0 0.0.1.255
access-list 198 permit ip 192.168.103.0 0.0.0.255 10.10.98.0 0.0.1.255
access-list 198 permit ip 10.10.0.0 0.0.15.255 10.10.98.0 0.0.1.255

10 Replies 10

Hello,

Your configuration seems to be correct.

ip nat inside source static tcp 192.168.104.34 22 GigabitEthernet0/0 9922 extendable

Have you tried to used your public public IP instead of GigabitEthernet0/0?

You should look at your Centos configuration. Does it have default gateway? Its firewall is off?

You have crypto map "SDM_CMAP_1" under your interfaces but you did not define it in your configuration.

Masoud

Hello masoud,

Yes i have SDM_CMAP_1 configured i just cut it out of this part of the configuration...

I will check the firewall since everything else seems ok...

Since you had removed your IPsec configuration, I could not check its access-list. You also need to exclude the return SSH packet from IPSEC access-list.

There are no more access-lists these are all the ACL-s in my configuration.

I can access the server through port 22 from my inside network however i can not access it from a remote site...or host. I tried it from my home pc and it does not work also the port 9922 seems to be closed when testing it. 

Your default routes look a bit strange.

You have a default route pointing out of the backup connection but with no AD set so I would expect it to be in the routing table.

What does a "sh ip route" show for the default routing.

I am just wondering if your connection to the server is going in via the main link but then being sent back via the backup link which would obviously mean the server is translated to a different IP.

Jon

Hello Jon,

Still the destination IP(home PC) is the same unless back-up ISP has an statefule firewall dropping the packets. 

Meanwhile, OP has not confirmed that if the server has default gateway pointing to 192.168.104.2 or not.

Regard,

Masoud

I think the problem might also be the DW not pointing to 104.2 as Masoud said i will check that out. Thanks!

It was the firewall blocking the 9922 port i configured :D 
I cant believe i forgot to set a rule on our firewall :) 


anyways thanks a lot for helping me guys.

Oh yeah there is an AD set and that works fine i just somehow missed it out while copy pasting i guess...I think the pšroblem lies in the ACL i just cant figure it out...