Cant Ssh to CISCO 2911 from outside

J32773277 · ‎04-16-2015

Hello Dears,

I am facing a strange issue with my Voice gateway router,

I can access it from a local network of site using SSH and the credentials to log in.but I Cant access same from other site with same credentials ,the running config as below:

login as:admin
Using keyboard-interactive authentication.
Password:
GW>en
Password:
GW#sh run
Building configuration...

Current configuration : 4447 bytes
!
version 15.5
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname GW
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.155-1.T.bin
boot-end-marker
!
!
enable secret 5 ******************************
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 0:00 last Sun Oct 0:00
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name das.cisco.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
cts logging verbose
!
!
voice-card 0
!
!
!
voice service voip
ip address trusted list
ipv4 10.x.x.x.
ipv4 10.x.x.x.
ipv4 10.x.x.x.
ipv4 10.x.x.x.
address-hiding
mode border-element
allow-connections sip to sip
redirect ip2ip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
midcall-signaling passthru
!
voice class codec 10
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729r8
!
!
!
!
!
!
!
!
license udi pid CISCO2911/K9 sn FCZ153870BM
license accept end user agreement
hw-module pvdm 0/0
!
!
!
username admin password 7 **********
!
redundancy
!
no cdp run
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
translation-rule 10
Rule 0 ^90 0
Rule 1 ^91 1
Rule 2 ^92 2
Rule 3 ^93 3
Rule 4 ^94 4
Rule 5 ^95 5
Rule 6 ^96 6
Rule 7 ^97 7
Rule 8 ^98 8
Rule 9 ^99 9
!
!
translation-rule 40
Rule 0 ^1 093231
Rule 1 ^2 093232
Rule 2 ^3 093443
Rule 3 ^4 093444
Rule 4 ^5 093445
Rule 5 ^6 093446
Rule 6 ^7 093447
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.xx.x.x. 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
description ### link for SIP Trunk ###
ip address 1x2.x.x.x. 255.255.255.0
ip access-group 100 in
duplex full
speed 100
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 10.x.0.0 255.255.0.0 10.x.2.1
ip route ********* 255.255.255.0 GigabitEthernet0/2 1x2.x.x.x
!
!
!
access-list 100 permit ip host ********** host 1x2.x.x.x
access-list 100 permit ip host *********** host 1x2.x.x.x
access-list 100 permit ip host ********** host 1x2.x.x.x
access-list 100 permit ip host ********** host 1x2.x.x.x
access-list 100 permit ip host ********* host 1x2.x.x.x
access-list 100 permit ip host ******** host 1x2.x.x.x
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dial-peer voice 1000 voip
description ### Trunk DP ###
translation-profile incoming SIPInbound
huntstop
destination-pattern 9T
translate-outgoing calling 40
translate-outgoing called 10
rtp payload-type cisco-codec-fax-ind 98
no modem passthrough
session protocol sipv2
session target ipv4:178.250.112.66
voice-class codec 10
voice-class sip dtmf-relay force rtp-nte
voice-class sip options-ping 65
dtmf-relay rtp-nte
fax-relay sg3-to-g3
fax rate 14400
!
dial-peer voice 1100 voip
description ### Airspeed SIP Trunk DP ###
rtp payload-type cisco-codec-fax-ind 98
no modem passthrough
session protocol sipv2
session target ipv4:10.107.2.4
incoming called-number 9T
voice-class codec 10
dtmf-relay rtp-nte
fax-relay sg3-to-g3
fax rate 14400
!
dial-peer voice 1101 voip
description ### Airspeed SIP Trunk DP ###
rtp payload-type cisco-codec-fax-ind 98
no modem passthrough
session protocol sipv2
session target ipv4:1x2.x.x.x
incoming called-number 9T
voice-class codec 10
dtmf-relay rtp-nte
fax-relay sg3-to-g3
fax rate 14400
!
!
sip-ua
keepalive target ipv4:1x2.x.x.x
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
logging synchronous
login local
line aux 0
logging synchronous
login local
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
logging synchronous
login local
transport input ssh
line vty 5 15
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

GW#

Please help me!! :)

d-fillmore · ‎04-16-2015

Could there be a firewall somewhere in between blocking the SSH?

Can you ping the management address from the other site?

J32773277 · ‎04-16-2015

There is no firewalls,Yes I can ping and even its asking for credentials while am asking,but if I enter password it fails.

I can see the other device in that site using aes256-cbc encryption.

SW#sh ssh

%No SSHv1 server connections running.

Connection Version Mode Encryption Hmac State Username

0 2.0 IN aes256-cbc hmac-sha1 Session started admin

0 2.0 OUT aes256-cbc hmac-sha1 Session started admin

But the new device are 15.5 IOS and uses aes128-cbc encryption

GW#sh ssh

Connection Version Mode Encryption Hmac State Username

0 2.0 IN aes128-cbc hmac-sha1 Session started admin

0 2.0 OUT aes128-cbc hmac-sha1 Session started admin

%No SSHv1 server connections running.

Does it cause any problem,However the local access is there.??

d-fillmore · ‎04-17-2015

Not sure, Try 'debug ip ssh detail' on the GW device and see if it's reporting any errors.

What are you trying to ssh from? - is it another cisco device or a machine using putty/securecrt?

J32773277 · ‎04-17-2015

The device is in another country.. they can ssh into device locally,but I cant access.

Andre Neethling · ‎04-16-2015

Check access list 100 and make sure that the uo you are trying to connect from and the protocol you are using is allowed in that access list.

J32773277 · ‎04-16-2015

There is no ACL configured in the router,The g/w have below ACLs

L3#sh access-lists
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
Extended MAC access list system-cpp-bpdu-range
permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
permit any host 0180.c200.0003
Extended MAC access list system-cpp-sstp
permit any host 0100.0ccc.cccd
L3#exi