04-16-2021 06:41 PM
I've got an access list denying SSH on my WAN IP. I'm logging the denied attempt.
In the logs, the destination is showing an IP that isn't my WAN IP. It also isn't the same IP every time, but they are all in the 4*.*.*.* range.
I thought the destination would be my WAN IP. Am I missing anything?
04-16-2021 06:49 PM
What model device is it?
04-16-2021 08:19 PM
It's a 1921 with 2 VDSL EHWICs
04-16-2021 08:26 PM
I imagine this could be a lengthy Q&A since it's a strange issue. In hopes of avoiding that, posting your config is probably the best way to go forward.
04-16-2021 08:36 PM - edited 04-16-2021 08:38 PM
Actually, you could just tell me the IP and subnet mask of your WAN interface, and are you running a routing protocol with your ISP?
04-16-2021 11:41 PM
My WAN connection is a VDSL2 service that uses IPoE which assigns a sticky IP to Eth 0/0/0.
I also have a second VDSL service that uses PPPoE.
! ! Last configuration change at 13:53:42 AEST Sat Apr 17 2021 by admin ! NVRAM config last updated at 22:19:48 AEST Fri Apr 16 2021 by admin ! version 15.7 service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year no service password-encryption ! hostname RT01 ! boot-start-marker boot system flash c1900-universalk9-mz.SPA.157-3.M8.bin boot-end-marker ! ! no logging message-counter syslog ! aaa new-model ! ! aaa authentication login default local aaa authentication login local_access local aaa authentication login SSLVPN_AAA local ! ! ! ! ! ! aaa session-id common clock timezone AEST 10 0 clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00 ! ! ! ! ! ! ! ! ! ! ! ! ip name-server 10.0.0.21 ip name-server 10.0.0.22 ip cef ipv6 unicast-routing ipv6 cef ! ! flow record nbar-appmon match ipv4 source address match ipv4 destination address match application name collect interface output collect counter bytes collect counter packets collect timestamp absolute first collect timestamp absolute last ! ! flow monitor application-mon cache timeout active 60 record nbar-appmon ! parameter-map type inspect global max-incomplete low 18000 max-incomplete high 20000 nbar-classify multilink bundle-name authenticated ! ! crypto pki trustpoint SSLVPN_CERT enrollment selfsigned subject-name CN=RT01 revocation-check crl rsakeypair SSLVPN_KEYPAIR ! ! crypto pki certificate chain SSLVPN_CERT certificate self-signed 01 ****** quit license udi pid CISCO1921/K9 sn ********** ! ! object-group service INTERNAL_UTM_SERVICE ! object-group network Others_dst_net any ! object-group network Others_src_net any ! object-group service Others_svc ip ! object-group network Web_dst_net any ! object-group network Web_src_net any ! object-group service Web_svc ip ! object-group network local_cws_net ! object-group network local_lan_subnets any ! object-group network vpn_remote_subnets any ! username ***** privilege 15 secret 5 ********** ! redundancy ! ! ! ! ! controller VDSL 0/0/0 firmware filename flash:VA_B_38V_d24m.bin ! controller VDSL 0/1/0 firmware filename flash:VA_B_38V_d24m.bin ! ! class-map type inspect match-any INTERNAL_DOMAIN_FILTER match protocol msnmsgr match protocol ymsgr class-map type inspect match-any Others_app match protocol https match protocol smtp match protocol pop3 match protocol imap match protocol sip match protocol ftp match protocol dns match protocol icmp class-map type inspect match-any Web_app match protocol http class-map type inspect match-all Others match class-map Others_app match access-group name Others_acl class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl ! policy-map type inspect LAN-WAN-POLICY class type inspect Web inspect class type inspect Others inspect class class-default drop log ! zone security LAN zone security WAN zone security VPN zone security DMZ zone-pair security LAN-WAN source LAN destination WAN service-policy type inspect LAN-WAN-POLICY ! ! crypto vpn anyconnect usbflash0:/webvpn/anyconnect-macos-4.10.00093-webdeploy-k9.pkg sequence 1 ! crypto vpn anyconnect usbflash0:/webvpn/anyconnect-win-4.10.00093-webdeploy-k9.pkg sequence 2 ! crypto isakmp policy 1 ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 172.16.1.1 255.255.255.255 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 10.0.0.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ipv6 address pd-ipv6 ::1:0:0:0:1/64 ipv6 enable ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! interface ATM0/0/0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0/0/0 description ABB ip address dhcp ip nat outside ip virtual-reassembly in ! interface ATM0/1/0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0/1/0 ip address dhcp ! interface Ethernet0/1/0.2 encapsulation dot1Q 2 pppoe enable pppoe-client dial-pool-number 1 ! interface Virtual-Template1 ip unnumbered Loopback0 ! interface Dialer1 mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ppp mtu adaptive ppp authentication chap callin ppp chap hostname *@*.*.* ppp chap password 0 ********* ! ip local pool SSLVPN_POOL 10.0.0.180 10.0.0.199 ip forward-protocol nd ! ip http server ip http upload enable path flash: ip http upload overwrite ip http authentication local ip http secure-server ! ip nat inside source list nat-list interface Ethernet0/0/0 overload ! ip access-list extended Disable_SSH permit tcp 10.0.0.0 0.0.0.255 any eq 22 log deny ip any any log ip access-list extended Others_acl permit object-group Others_svc object-group Others_src_net object-group Others_dst_net ip access-list extended Web_acl permit object-group Web_svc object-group Web_src_net object-group Web_dst_net ip access-list extended nat-list permit ip object-group local_lan_subnets any ! logging origin-id hostname logging source-interface Ethernet0/0/0 logging host *.*.*.* transport udp port * ! ! snmp-server community HomeRO RO access-list 1 permit 10.0.0.0 0.0.0.255 ! ! ! ipv6 access-list al-ipv6-e0-in permit icmp any any permit tcp any any established permit udp any any eq 546 permit udp any eq domain any ! control-plane ! ! line con 0 logging synchronous login authentication local_access line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class Disable_SSH in exec-timeout 30 0 timeout login response 60 privilege level 15 logging synchronous login authentication local_access autocommand terminal monitor autocommand-options nohangup transport input ssh ! scheduler allocate 20000 1000 ntp server 216.239.35.0 ntp server 216.239.35.8 ntp server 216.239.35.4 ntp server 216.239.35.12 event manager applet storePreferences event none sync yes action 1 file open LOG usbflash0:ccpexp/preferences.JSON w+ action 3 file close LOG ! ! webvpn gateway SSLVPN_GATEWAY ip interface Ethernet0/0/0 port 4443 ssl trustpoint SSLVPN_CERT inservice ! webvpn context SSLVPN_CONTEXT virtual-template 1 aaa authentication list SSLVPN_AAA gateway SSLVPN_GATEWAY ! ssl authenticate verify all inservice ! policy group SSLVPN_POLICY functions svc-enabled svc address-pool "SSLVPN_POOL" netmask 255.255.255.0 svc split include acl 1 svc dns-server primary 10.0.0.21 svc dns-server secondary 10.0.0.22 default-group-policy SSLVPN_POLICY ! end
04-16-2021 11:54 PM
Hello
as this rtr looks like its attached to the internet edge and the line vty access-list is ingress
its possible you could be being scanned from these unknown addresses on ssh.
04-17-2021 03:06 AM
Here is an example log:
RT01: .Apr 17 2021 20:01:00.398 AEST: %SEC-6-IPACCESSLOGP: list Disable_SSH denied tcp 1.129.107.***(36451) -> 44.206.104.***(22), 1 packet
1.129.107.*** is the public IP of my mobile broadband service I am testing from. 44.206.104.*** is an AWS IP. My WAN IP is not in that range.
04-17-2021 06:03 AM
That's bizarre. Are you sure your IP isn't in that range? What's you subnet mask?
If you're correct, this looks like a massive fail by your ISP. I don't even know how they would be sending you those packets.
It would be interesting to do a wireshark on that link and see if the packets are being forwarded to you as if you own that IP space, or if there's an arp first as if that IP is connected. Look at destination MAC of the packet. Is it a broadcast?
Maybe tap into that link with your laptop and see if you can ping the address while wiresharking your session.
Not sure where you go from there or what you can do about it, but maybe you'll pull on a thread that unravels.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide