Hi Balaji,

Configuration is below. The router was configured by a network engineer in Pakistan and he has advised that it's all set up as it should be, so I'm unsure how to determine whether SSH is allowed to come in from the ACL.

The router is offline, so cannot access logs.

Current configuration : 2736 bytes
!
! Last configuration change at 20:54:24 UTC Sun May 2 2021 by william
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VT-STKN-RTR-0001
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 <redacted for privacy>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp pool LOCAL
 network 10.10.20.0 255.255.255.0
 default-router 10.10.20.1
 dns-server 4.2.2.2 8.8.8.8
!
ip dhcp pool LAN
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 4.2.2.2 8.8.8.8
!
!
!
ip domain name vergetel
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FGL1923213X
!
!
username tempadmin privilege 15 <redacted for privacy>
username william password 0 <redacted for privacy>
!
redundancy
!
!
controller Cellular 0/0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
controller VDSL 0/1/0
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface ATM0/1/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0/1/0
 no ip address
 shutdown
!
interface Cellular0/0/0
 no ip address
 ip nat outside
 encapsulation slip
 dialer in-band
 dialer pool-member 1
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 dialer pool 1
 dialer idle-timeout 0
 dialer string lte
 dialer persistent
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list Internet interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Internet
 permit ip 10.10.20.0 0.0.0.255 any
 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 script dialer lte
 no exec
 rxspeed 100000000
 txspeed 50000000
line vty 0 4
 password <redacted for privacy>
 transport input telnet ssh
line vty 5 15
 password <redacted for privacy>
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

high level I do not see any SSH config  - but you can try telnet into the router using public IP address and let us know if that works?

follow the below guide to configure SSH :

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

William

I agree with @balaji.bandi that it is difficult to tell from the config what is the state of SSH. Can you get to the switch and execute the command show ip ssh? Its output would verify whether SSH is active. 

I do not see anything in the config that would prevent SSH access. Are we correct in assuming that SSH does not work? If SSH does not work then I agree that attempting access using telnet would be a good test.

I do not think it relates to your possible issue with SSH but I do notice an inconsistency in your config. Your DHCP pool specifies this

ip dhcp pool LAN
 network 10.10.10.0 255.255.255.0

but the interface where that subnet is configured uses mask of 255.255.255.248.

Hi Rick

SSH config below.

VT-STKN-RTR-0001>show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa <redacted for privacy>

The Dialer0 interface is showing a public IP address in the USA (22.166.248.36) when the actual public IP address of the LTE cellular service is in Australia (1.129.108.144). I presume this would be causing an issue as I can load up the web UI login for 22.166.248.36 when I'm on the same network as the router, however, when it comes to WAN, it cannot be accessed from this address, nor the Australian IP. Very strange.

Any assistance would be great. Thanks.

Thanks for the information, regarding the IP address you need to be in touch with your ISP, nothing we can do about it.

Thank you for the information, you have SSH running, Can you please confirm from Local Lan are you able to SSH and Telenet to the device ?

Als have you tested from outisde Telnet ? or SSH ? what you see the Logs (enable Debug when you trying SSH from outside, ) as i presume it is not even reaching the router your request.

William

Thanks for the additional information. The output does confirm that SSH is configured and activated, which eliminates one potential cause of the problem. I have a few more questions:

- can you confirm that devices connected to your inside networks are successful in accessing resources on the Internet?

- can you confirm that devices connected to your inside networks are successful in SSH to the router?

- when you attempt SSH from outside do you get any type of response? Or does the SSH request just hang and time out?

- just to be sure that it is not something specific to SSH can you attempt telnet to the router from a device in the Internet?

- can you ping or traceroute to the router outside interface from devices in the Internet? (try both of the identified addresses)

- I agree with @balaji.bandi that it sounds like the SSH request may not be getting to the router. Is it possible to run debug ip ssh, attempt SSH from the Internet, and look for any debug output?

- I am wondering about the configuration for line 0/0/0 that specifies no exec. As a test could you remove that line and test SSH again?

I find this observation interesting "when it comes to WAN, it cannot be accessed from this address, nor the Australian IP". I am not clear why 2 IP addresses are indicated but I am not convinced that the IP address is the real issue with SSH. If the address were the cause of the problem I would expect that one or the other would work. If you access something in the Internet from a device on your inside network and then show the translate table on the router would it shed light on which address is being used?