Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
4
Replies

Cisco Router 2911 - Remote SSH and Ping Not Working

mfdarvesh
Level 1
Level 1

‎02-25-2021 02:59 AM - edited ‎02-25-2021 06:04 AM

Cisco Router 2911, there are two problems:

1. SSH from outside not working. From outside I mean to access router on WAN Port from my home. 

2. Ping Router WAN Port from outside i.e. from my home. 

 

Complete configuration is as follows, please help:

(IPSec, site to site tunnel is working good, no problems)

!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.240.1 192.168.240.20
!
ip dhcp pool XX-XX-DHCP
network 192.168.240.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
default-router 192.168.240.1
!
!
!
ip domain name xxx.xxx.xxx
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
!
license udi pid CISCO2911/K9  
license accept end user agreement
license boot module c2900 technology-package securityk9
!
!
username myuser privilege 15 password 7  
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address xxx.xxx.xxx.xx
!
!
crypto ipsec transform-set XXXX-XXXX esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map VPNMAP 1 ipsec-isakmp
set peer xxx.xxx.xxx.xx
set transform-set XXXX-XXXX
match address 101
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ****WAN****
ip address xxx.xxx.xxx.xx 255.255.255.252
ip nat outside
ip access-group 102 in
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPNMAP
!
interface GigabitEthernet0/1
description ***LAN***
ip address 192.168.240.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx
!
!
!
access-list 50 permit xxx.xxx.xxx.xx

access-list 100 deny ip 192.168.240.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 100 permit ip 192.168.240.0 0.0.0.255 any
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 102 permit icmp any any
access-list 102 permit ip any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 50 in
login authentication local
transport input ssh
!
scheduler allocate 20000 1000
!
end

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-25-2021 03:06 AM - edited ‎02-25-2021 03:08 AM

First step remove this ACL in and test it :

 

nterface GigabitEthernet0/0
description ****WAN****
ip address xxx.xxx.xxx.xx 255.255.255.252
ip nat outside
no ip access-group 102 in
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPNMAP

 

here is the configuration reference :

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

mfdarvesh
Level 1
Level 1
In response to balaji.bandi

‎02-25-2021 06:03 AM - edited ‎02-25-2021 06:05 AM

My apology, it was SSH not SSL. Removed and still no SSH, no Ping.

0 Helpful

MHM Cisco World
VIP
VIP

‎02-25-2021 05:03 AM

this is RAVPN so why you set the peer address ?
use dynamic IPSec for this kind of VPN.

0 Helpful

mfdarvesh
Level 1
Level 1
In response to MHM Cisco World

‎02-25-2021 06:06 AM

It is not RA VPN, it is simple site to site VPN. Remote SSH and Ping not working. Tunnel is up and going good. 

0 Helpful
Customers Also Viewed These Support Documents