Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
5
Replies

SSH to an external interface on 877

twhittle1
Level 1
Level 1

‎03-08-2016 01:10 PM - edited ‎03-05-2019 03:31 AM

Hi,

I'm trying to SSH onto my 877 router from an external location and the SSH connection keeps timing out. I am using dynamic DNS and the address is updating correctly to the IP address on the dialer interface and pings go through fine but when I SSH then connection times out.

I can SSH internally from my LAN interface when connecting to the internal addresses, external IP address and Dynamic DYNDNS address. 

I have been previously using a 871 with an external ADSL modem and I was able to SSH in, and when I've switched it over to an 877 I can't get the SSH connection to work.

Do I need to add any additional configuration when using SSH and trying to connect top the dialer? Am I missing something really obvious?

Many Thanks,

Tom Whittle

Labels:
0 Helpful
5 Replies 5

johnd2310
Level 8
Level 8

‎03-08-2016 04:04 PM

Hi,

Have  you allowed ssh in the external access list?

Thanks

John

**Please rate posts you find helpful**
0 Helpful

twhittle1
Level 1
Level 1
In response to johnd2310

‎03-09-2016 12:43 AM

Hi John,

Thanks for your response, I've tried it both without an access list and also with permit ip any any in the access list and I get the same thing.

Interesting if I try to ssh externally to the wrong port I get the "connection refused" message so I'm wondering if it's a bug or something, I may have to go a looking.

I was just curious if anyone knows if there are any considerations or gotchas using a ATM / dialer interface and trying to SSH externally. SSH has always been reasonably easy to setup and I wondered if there are any special considerations with ADSL.

Many Thanks,

Tom

0 Helpful

johnd2310
Level 8
Level 8
In response to twhittle1

‎03-09-2016 03:07 PM

Hi,

Are you using zone based firewall or context based firewall?

thanks

John

**Please rate posts you find helpful**
0 Helpful

twhittle1
Level 1
Level 1
In response to johnd2310

‎03-10-2016 01:55 PM

Hi, 

I'm actually not using any firewall. I used to have an ACL on the vty ports but I removed this thinking it was adding confusion.

Just an update on the possibility of an IOS bug, I downgraded the IOS last night and I'm getting the same issues so I'm not convinced it is this. I jumped from the 15.0 train to 12.4.

RE my SSH config, I've enabled SSH and can SSH from the internal LAN. I have no firewall currently on the router, in case this was the issue. 

Would it be causing an issue that my DYNDNS commands are on the dialer interface rather than the ATM interface? I've just switched this round to check.

Has anyone else got SSH working to an 877? I assume it's something so simple I've missed.

Many Thanks,

Tom

0 Helpful

twhittle1
Level 1
Level 1
In response to johnd2310

‎03-13-2016 02:33 PM

Hi,

I have an answer, I don't understand it but I have an answer. 

Previously I was using an extended ACL for the NAT command and as soon as I changed the ACL to a standard ACL SSH from an external source now works. I don't understand why...

The old ACL was:

ip access-list extended ACL-NAT
permit ip 172.16.0.0 0.0.255.255 any
deny ip any any

The new list is:
access-list 1 permit 172.16.0.0 0.0.255.255

Aren't these the same?

Anyway, it works, but it'd be nice if I knew why.

Thanks,

Tom

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card