Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1248
Views
0
Helpful
7
Replies

unable to SSH from the outside with an alternate port

DAVID RICHWALSKI
Level 1
Level 1

‎10-23-2017 01:58 PM - edited ‎03-12-2019 04:39 AM

Hello,

I have a Cisco 2851 router

- Configured SSH for an alternate port but it does not work inbound from the "world"

- I can connect SSH internally using SecureCRT from inside my network

- I also have other services that I cannot get to from the outside

- And if I can throw this in I am trying to BLOCK....SNMP and NTP inbound

- When I scan the Router external IP it shows SNMP...and NTP as "open"

 I did a lot of research before posting here but i just cannot figure it out

 

Here is my entire config file (attached)

 

I am no Cisco expert but I have learned a lot......

Please feel free to make any suggestions or changes to my config file you may have

 

I would be very grateful...thank you

 

Labels:
Preview file
8 KB
0 Helpful
7 Replies 7

Rich Uline
Level 1
Level 1

‎10-23-2017 02:33 PM - edited ‎10-23-2017 02:43 PM

David,

Presumably, based on the contents of the DenyStdSSH ACL, you want to access your router via SSH on port 8500. If you will access this port from the outside interface, the first thing that I notice is that your standard ACL 101 does not permit it. Assuming you will be using the outside IP address, then nothing else is needed.

 

You should also think about using a loopback address on your router for management. With your nat configuration, you will also need a static port mapping to make that work from the outside.

 

Edit: I think your ACL 101 needs a complete rework, actually. For example, you have this line: 

access-list 101 permit tcp any eq www any log

 I presume that you intend to allow users within your network access to the Internet, but this line actually lets the Internet access a web server within your network (except that the NAT configuration doesn't allow it). Are you hosting a web site?

0 Helpful

DAVID RICHWALSKI
Level 1
Level 1
In response to Rich Uline

‎10-23-2017 02:57 PM - edited ‎10-23-2017 03:44 PM

Thanks for the reply

 

I have added this ACL

access-list 101 remark --- SSH 8500 ---
access-list 101 permit tcp any any eq 8500 log

 

I do not know anything about a loopback address for management

0 Helpful

DAVID RICHWALSKI
Level 1
Level 1
In response to Rich Uline

‎10-23-2017 04:00 PM

thanks for the reply

 

the only reason i have:

access-list 101 permit tcp any eq www any log

 

Because my ROUTER needs to have WWW so my DynDNS will register ...only the ROUTER

I just am not sure how to restrict it to the ROUTER only

I also only need DNS to answer on the ROUTER only.for the ip name-server

(I am not sure how to restrict it to the ROUTER only

I don't need DNS on the INTERNAL network because I use DNSCrypt which uses port 443

 

I know my config file is kind of messy I am still learning....if you have any suggestions.....

 

0 Helpful

DAVID RICHWALSKI
Level 1
Level 1
In response to Rich Uline

‎10-23-2017 04:01 PM

thanks for the reply

 

the only reason i have:

access-list 101 permit tcp any eq WWW any log

 

Because my ROUTER needs to have WWW so my DynDNS will register ...only the ROUTER

I just am not sure how to restrict it to the ROUTER only

I also only need DNS to answer on the ROUTER only.for the ip name-server

(I am not sure how to restrict it to the ROUTER only

I don't need DNS on the INTERNAL network because I use DNSCrypt which uses port 443

 

I know my config file is kind of messy I am still learning....if you have any suggestions.....

 

0 Helpful

Flavio Miranda
VIP
VIP

‎10-23-2017 02:38 PM

Hello @DAVID RICHWALSKI

 

- Configured SSH for an alternate port but it does not work inbound from the "world"

I saw you have an access-class DenyStdSSH  on your VTY line but I didn´t see any ACL with this name.

 You should have this command on VTY:

 ip ssh port "portnum" rotary "group"

 

- I can connect SSH internally using SecureCRT from inside my network

OK

 

- I also have other services that I cannot get to from the outside

Which one?  

 

- And if I can throw this in I am trying to BLOCK....SNMP and NTP inbound

Use Context-Based Access Control (CBAC), normal ACL probably will fail.

 

- When I scan the Router external IP it shows SNMP...and NTP as "open"

If you are not using it, disable it. If you are using it for SNMP and NTP you can use a highly complex SNMP Community for security and NTP allows to specify to who to speak. You can specify the source for NTP to sync. 

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful

DAVID RICHWALSKI
Level 1
Level 1
In response to Flavio Miranda

‎10-23-2017 03:52 PM

thanks for the reply

I have the following on my outside interface:

ntp disable

 

and I have SNMP configured with a very strong string

I would like to set it so only my computer can access it

 

 

 

 

0 Helpful

DAVID RICHWALSKI
Level 1
Level 1
In response to DAVID RICHWALSKI

‎10-24-2017 09:16 PM

I want to thank you all for your help I did manage to get my SSH working on the alternate port

I also "trimmed" some things out of my config file, but I am sure a lot more could be done to make it better..I will continue to take your suggestions and do a lot more reading

Plus some trial & error

If anyone can suggest any material that may help me out i would be grateful

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents