cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
7
Replies

SSH Broke after Router configured for Internet access

Rsqswmr69
Level 1
Level 1

Hello folks...Looking for some help.  Here is the short.  Bought a 2800 router for lab setup and configured it fine for SSH connection.  SSH worked perfectly.  Went on to configure Router as a Lab Router with Internet access.  While connected through SSH and configuring it for Internet access on separate subnet, I lost my SSH connection and cannot get it back.  Had to Console into the Lab Router to continue Internet access configuration.  It was at the point of configuring inside and outside NAT that my SSH connection was broken.  Any advice.  Not a complete NOOB.....but this is stumping me.

7 Replies 7

Hello,

 

can you post the config ? Did you try to zeroize and reenter the rsa key ?

Georg,

Here is my running config:

 

LabRouter#sh running-config
Building configuration...


Current configuration : 1601 bytes
!
! Last configuration change at 03:57:33 UTC Sun Aug 9 2020
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LabRouter
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ShoN$iUDGOx3C1vpoZgWEvpggk/
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip dhcp pool LabMan
network 192.168.2.0 255.255.255.0
default-router 192.168.2.55
dns-server 8.8.8.8
!
!
ip domain name kbcomputersense.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FTX1325A00M
username Kory privilege 15 secret 5 $1$76t/$/X8LMdaeD18o9J226FpgZ/
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.2.55 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
!
ip forward-protocol nd
no ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.55
!
logging esm config
access-list 1 permit any
access-list 1 permit 192.0.0.0 0.255.255.255
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
end

Hello,

 

delete access list 1 and reenter it with just that one line:

 

access-list 1 permit 192.168.2.0 0.0.0.255

You Rock...Thank you...

Can you briefly explain what my mistake was so i understand it correctly......?

Hello,

 

'permit any' or 'permit ip any any' is usually not a good idea. It translates the IP address of the interface(s) as well, which can cause problems such as the one you experienced with broken SSH access.

 

Glad that you got it resolved...

I have seen issues before when the acl used for nat included a lot more than just the inside network. In your case you would be including any packet whose source address began with 192. We do not know what is the IP of your outside interface, but your static route gives us a clue

ip route 0.0.0.0 0.0.0.0 192.168.1.55

If your outside interface is in the 192.168.1 network then any attempt to SSH to the outside interface would generate a response packet whose source address qualified for address translation. If the interface is attempting to respond to an SSH request you really do not want that translated.

HTH

Rick

Also let me explain the setup..

 

ISP -> Linksys AC6500 -> Connected to Cisco 3750sw ->Labrouter(2800)

1.55 is my default gateway for the Home Router

SSH was working until I was configuring the LabRouter for Internet access..Right about when I was configuring the NAT

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco