02-10-2022 06:29 AM
Hello-I have multiple routers which run multiple VRFs of which I thought were configured for external access from our public VPN NAT but, on losing access to a site that was still technically online, we noticed we could not connect externally. It seems, indeed, I am only able to connect to the router via the Mgmt-intf VRF, but my ACLs are permitting access from all RFC1918 addresses and a specific external IP (SSH and ICMP) but while ICMP works, SSH does not. Am I missing a configuration somewhere to permit SSH for back-door access via my provider-issued IP?
Extended IP access list ADMIN_ACCESS 10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 20 permit tcp 172.16.0.0 0.15.255.255 any eq 22 (72 matches) 30 permit tcp 192.168.0.0 0.0.255.255 any eq 22 40 permit tcp x.x.x.x 255.255.255.255 any eq 22 line vty 0 4 access-class ADMIN_ACCESS in vrf-also exec-timeout 15 0 logging synchronous transport preferred none transport input ssh transport output ssh line vty 5 15 access-class ADMIN_ACCESS in vrf-also exec-timeout 15 0 logging synchronous transport preferred none transport input ssh transport output ssh ip access-list extended INET_INBOUND permit icmp x.x.x.x 255.255.255.255 any permit ip x.x.x.x 255.255.255.255 any interface GigabitEthernet0/1/4 vrf forwarding INET ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip access-group INET_INBOUND in
I'm able to ping the public IP of that interface and have tunnels terminating on it (also covered in INET_INBOUND) but ssh doesn't work, leading me to believe there may be some sort of missing ssh permission on the router that I'm not aware of...
02-10-2022 09:45 AM
ADMIN_ACCESS
you have all RFC1918 address in that group, but when the ssh coming in from public, the IP address is public IP right ?
remove the access class and test it. is that works ? (Hope from internal network it works ssh right ?
line vty 0 4 access-class ADMIN_ACCESS in vrf-also
02-10-2022 01:11 PM
Hello
@ryan.meskill wrote:
configured for external access from our public VPN NA
on losing access to a site that was still technically online,.
What was perfromed for you to lose access you already had?
You dont so any nat applied interfaces?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide