Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
2
Replies

SSH'ing to VRF-enabled ASR1000 router on DIA (external) interfaces

ryan.meskill
Level 1
Level 1

‎02-10-2022 06:29 AM

Hello-I have multiple routers which run multiple VRFs of which I thought were configured for external access from our public VPN NAT but, on losing access to a site that was still technically online, we noticed we could not connect externally. It seems, indeed, I am only able to connect to the router via the Mgmt-intf VRF, but my ACLs are permitting access from all RFC1918 addresses and a specific external IP (SSH and ICMP) but while ICMP works, SSH does not. Am I missing a configuration somewhere to permit SSH for back-door access via my provider-issued IP?

 

Extended IP access list ADMIN_ACCESS
    10 permit tcp 10.0.0.0 0.255.255.255 any eq 22
    20 permit tcp 172.16.0.0 0.15.255.255 any eq 22 (72 matches)
    30 permit tcp 192.168.0.0 0.0.255.255 any eq 22
    40 permit tcp x.x.x.x 255.255.255.255 any eq 22

line vty 0 4
 access-class ADMIN_ACCESS in vrf-also
 exec-timeout 15 0
 logging synchronous
 transport preferred none
 transport input ssh
 transport output ssh
line vty 5 15
 access-class ADMIN_ACCESS in vrf-also
 exec-timeout 15 0
 logging synchronous
 transport preferred none
 transport input ssh
 transport output ssh

ip access-list extended INET_INBOUND
permit icmp x.x.x.x 255.255.255.255 any
permit ip x.x.x.x 255.255.255.255 any

interface GigabitEthernet0/1/4
 vrf forwarding INET
 ip address x.x.x.x 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip access-group INET_INBOUND in

I'm able to ping the public IP of that interface and have tunnels terminating on it (also covered in INET_INBOUND) but ssh doesn't work, leading me to believe there may be some sort of missing ssh permission on the router that I'm not aware of...

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎02-10-2022 09:45 AM 

ADMIN_ACCESS

you have all RFC1918 address in that group, but when the ssh coming in from public, the IP address is public IP right ?

 

remove the access class and test it. is that works ? (Hope from internal network it works ssh right ?

line vty 0 4
 access-class ADMIN_ACCESS in vrf-also

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paul driver
VIP
VIP

‎02-10-2022 01:11 PM

Hello

@ryan.meskill wrote:

 configured for external access from our public VPN NA
on losing access to a site that was still technically online,.

What was perfromed for you to lose access you already had?
You dont so any nat applied interfaces?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card