Re: ssh issue

Raja_D · ‎09-22-2017

Hi,

We have noticed a strange issue in one of our cisco 1800 router which has got two wan connectivities. Primary being the MPLS and Secondary being the ADSL connection.

Ideally for all our existing setup's of this type we are able to login remotely using both the MPLS wan ip and Public ip (Dialer ip) of ADSL properly.

But unfortunately, over this cisco 181x router we are able to get the login access only through the MPLS wan ip but there is no response if we try to ssh into the router using the Public ip.

Here are the observations:

1. show ip ssh --- shows enabled

2. The acl applied on line vty is able to get the matches over the ip from which I am trying to connect, confirms that the request is hitting onto the router properly

3. No abnormal logs from router end.

What could be the possible reasons for this login failure. Please suggest

Regards,

James..

Richard Burts · ‎09-22-2017

James

We do not know enough about your situation to give you very good answers. Can you supply more information, especially post the running configuration? Perhaps it is some policy on the router? Perhaps it is some policy applied in the network over the ADSL?

It might be helpful if you enable debug for SSH and then attmpt SSH using the ADSL address, and post the debug output.

HTH

Rick

HTH

Rick

Raja_D · ‎09-23-2017

HI,

Enclosed notepad holds the config in the device.

Device is under production with an alternate MPLS wan connectivity, so doing a debugging on this production device will not be possible.

Please check the config and suggest for any steps that could be helpful in fixing this login issue.

Predrag Jovic · ‎09-23-2017

For access from Dialer2 you need to configure port forward on device (ip nat outside and I don't see nat configured), and you might need additinal routes for exit traffic in that case. For ACL 50 you can add

access-list 50 permit y.y.y.y

access-list 50 deny any log

To see be able to see denied login attempts.

Raja_D · ‎09-23-2017

Hi,

ip nat outside already exists on the Dialer2 interface and we also have the "access-list 50 deny any log" applied on acl 50.

Actually i could see the matches showing up on the "access-list 50 permit y.y.y.y" when i try to attempt for a login from my Internet router remotely, which makes me understand that the login attempt made remotely is reaching till the router but the login is not happening.

The attempt made is not getting denied as per my understading on account of this.

Any more suggestions pls..

James..

Predrag Jovic · ‎09-23-2017

ip nat outside is not enough, that is just part of nat configuration, that's my point.

You need complete nat configuration and port forward (static nat for port forward) - only after this you will be able to see ssh attempts in ACL 50. - or you don't need nat at all if you are trying to login to dialer2 IP address.

Also you may need to configure additional routes.

Richard Burts · ‎09-23-2017

James

Thank you for posting what turns out to be only a partial config. There is a crypto map which uses access list TESTDMZ but that access list is not in the posted config. Also there is not anything in the config about your promary MPLS. And I wonder what else was excluded from the config that might have a bearing on this issue. So would you do show run | include y.y.y.y and post this so that we can see what references there are to that address?

HTH

Rick

HTH

Rick