cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
11522
Views
0
Helpful
16
Replies

Telnet and SSH stopped working after configuring static NAT on router

djulien357
Level 1
Level 1

Hi everyone,

I am having weird problem with my edge routers .Everything was working perfectly before I configured NAT forwarding but  stopped allowing incoming telnet and ssh sessions from the internet the second  it was implemented . I have added an access-list allowing telnet and ssh to the interface facing the internet but no go , I turned on debug and tried telnetting to the router but for some reason the router is still not allowing the session even though an access-list is allowing telnet and ssh so therefore debug is not reporting anything being initiated . Anyone experienced a simailar problem like that before ?

16 Replies 16

I did remove the local polict route-map but still no go .

jdfoxmicro
Level 1
Level 1

I had a similar problem, and found this post by Googling "ip local policy route-map" ssh after several other attempts to find any information about this.

 

Like the OP, I have an ISR in front of firewalls, and want to SSH from inside, and be able to reach it from my remote office on one of its outside interfaces.  I have two inside and two outside interfaces (on separate ISPs), with NAT and PBR configured on all of them, with no default gateway.  I could SSH to it from the inside, but not from the outside.  The source IP from the inside is on a directly connected network (due to NAT on the firewall behind the ISR), so the ISR doesn't have to route to respond.  So, I tried adding an ip local policy route-map, referencing the route map that would send traffic along the desired outside interface.  At this point, I lost SSH access from the inside and outside!

 

From the outside, it was clearly using the route map for internally generated traffic.  I could ping it, and it now answered on the outside.  If I tried SSH from the outside from an IP address not on the access list, I got "connection refused" right away, meaning the ISR was sending (and routing) the RST.  But if I tried from an IP address on the access list, it timed out.

 

Anyway, by setting a default gateway to route outside, SSH now works both ways (yes, I had to drive over there with my console cable).   I also removed the ip local policy route-map, since it's not necessary once a default gateway has been set.

 

So, somehow if you have NAT and/or PBR configured, the SSH service doesn't work with route maps.