Hello ,

post the configuration of the affected devices make changes to protect you ( hide public addresses and passwords)

Have you got an IPSec  VPN LAN to LAN to reach the internal network  of the remote office?

Also NAT statements can have an effect.

Hope to help

Giuseppe

#sh runn
Building configuration...

Current configuration : 6599 bytes
!
! Last configuration change at 08:24:11 UTC Mon Aug 19 2019 by xyz
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname abc
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 uHj.0741VttY5HilaEKF80G
!
aaa new-model
!
!
aaa authentication login VTY-login local enable
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
!
!
!
!


!
!
!
!
ip domain name xyz
ip name-server 0.0.0.0
ip name-server 8.8.8.8
ip cef
login block-for 65535 attempts 9 within 180
login quiet-mode access-class Strict-Access
no ipv6 cef
!
!
vtp mode transparent
vtp version 2
username xyz privilege 15 secret 4 gbaKmVqOXtI6WdwE9JhNI
!
!
!
!
!
controller VDSL 0
!
vlan 10
name Net_Infra
!
vlan 30
name Internet
!
vlan 31
name S_Internet
!
ip ftp username xyz
ip ftp password 7 013E07105A
ip ssh source-interface Vlan10
ip ssh version 2
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 31
no ip address
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.10.10.2 255.255.255.252
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
no ip address
!
interface Vlan31
ip address 2.2.2.2 255.255.255.254
ip access-group Blocking_Ports_(External) in
ip nat outside
ip virtual-reassembly in
!
router ospf 10
network 10.10.10.0 0.0.0.3 area 0.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Vlan10
ip flow-export version 9
ip flow-export destination x.x.x.x 60105
!
ip nat inside source list 1 interface Vlan31 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
line con 0
logging synchronous
login authentication VTY-login
no modem enable
line aux 0
line vty 0 4
session-timeout 10
login authentication VTY-login
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
ntp source Vlan10
ntp server x.x.x.x prefer

end

Hello ,

can you provide also the configuration of the access-lists

>> Strict-Access  used in login quiet command

>> 1 used for NAT

I do not see any VPN here and you have an ethernet handoff on Fas3 associated to SVI Vlan 31

I see you have also

>> ip ssh source-interface Vlan10

This means outgoing SSH sessions started by this device will use the vlan 10 source address.

From what you have reported I don't see how you can connect on the LAN interface from the HQ office only SSH to Vlan31 public address should be possible.

You could use an

ip nat source inside static tcp 2.2.2.2 22330 10.10.10.1 22 extendable

Edit: the correct syntax requires the internal address first

ip nat source inside static tcp 10.10.10.1 22 2.2.2.2 22330

to make the SSH session to TCP port 22330 on public address  to be mapped to internal Vlan 10.

I am not sure this can work as this command is usually used for internal clients to make them reachable via internet using the public address on a specific port.

Hope to help

Giuseppe

Perhaps a good place to start is with the output of the command show ip ssh from the router.

HTH

Rick