ā03-26-2013 07:45 AM - edited ā03-04-2019 07:24 PM
Hi everyone,
I am having weird problem with my edge routers .Everything was working perfectly before I configured NAT forwarding but stopped allowing incoming telnet and ssh sessions from the internet the second it was implemented . I have added an access-list allowing telnet and ssh to the interface facing the internet but no go , I turned on debug and tried telnetting to the router but for some reason the router is still not allowing the session even though an access-list is allowing telnet and ssh so therefore debug is not reporting anything being initiated . Anyone experienced a simailar problem like that before ?
ā03-27-2013 06:51 AM
I did remove the local polict route-map but still no go .
ā05-07-2018 07:40 AM - edited ā05-07-2018 08:01 AM
I had a similar problem, and found this post by Googling "ip local policy route-map" ssh after several other attempts to find any information about this.
Like the OP, I have an ISR in front of firewalls, and want to SSH from inside, and be able to reach it from my remote office on one of its outside interfaces. I have two inside and two outside interfaces (on separate ISPs), with NAT and PBR configured on all of them, with no default gateway. I could SSH to it from the inside, but not from the outside. The source IP from the inside is on a directly connected network (due to NAT on the firewall behind the ISR), so the ISR doesn't have to route to respond. So, I tried adding an ip local policy route-map, referencing the route map that would send traffic along the desired outside interface. At this point, I lost SSH access from the inside and outside!
From the outside, it was clearly using the route map for internally generated traffic. I could ping it, and it now answered on the outside. If I tried SSH from the outside from an IP address not on the access list, I got "connection refused" right away, meaning the ISR was sending (and routing) the RST. But if I tried from an IP address on the access list, it timed out.
Anyway, by setting a default gateway to route outside, SSH now works both ways (yes, I had to drive over there with my console cable). I also removed the ip local policy route-map, since it's not necessary once a default gateway has been set.
So, somehow if you have NAT and/or PBR configured, the SSH service doesn't work with route maps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide