Showing results for 
Search instead for 
Did you mean: 

SSH Multiple Interfaces

Is it possible to setup a router (2911) so that I can access it from DSL connection as well as the MPLS.  Without including a config I'll explain the setup.  We have a MPLS network that is sending the route to the router and all users route back to our data center for internet access.  However as a backup we installed DSL at the sites.  However during normal operations I would like to be able to SSH into the router from the SSH wan port.  I know I can configure static routers to go out that interface, but when mobile the IP would change.  Is it possible to do this?

As stated, BGP is providing the site networks along with a zero route.  So when we try to ssh from the outside, it is sending the data back on the zero route.             

Julio Carvajal


So you want to be able to access the Router from the WAN interface but the MPLS is the primary route and the WAN is only used as for backup purposes.

With that in mind as you said the router will not know where the host lives and will send it out the default route-interface so traffic might get there but on the way back it wil use a different interface.

The only way possible is using NAT on the next-hop of  WAN Interface so that all traffic going to the router on SSH port will be translated to a WAN IP address.

The router will know that it needs to reply to a host on the WAN interface and the traffic would go that way.

The thing is, you need an extra device bud

Rate all of the helpful posts!!!



Follow me on

Julio Carvajal
Senior Network Security and Core Specialist
Jeff Van Houten

What are the users accessing at the data center for internet access? Are you running an explicit proxy there? If so, you don't need a default back to the data center. The MPLS WAN routes (other than the default) are all that is needed. Assuming you're running an explicit proxy you can set the remote locations to default out the local internet connection.

Sent from Cisco Technical Support iPad App

We do nto have explicit proxy, which may solve the problem.  All users learn the default route, then hit our DC which as has a palo alto firewall on the edge, the  route points to this