04-22-2016 06:21 AM
Hi All,
I have recently put in a new Cisco router 881 at one of our sites. I have installed a few of these in the past with no issues with SSH.
However with this one, i am facing the issues whereby i cannot SSH into the router via the public WAN. I can SSH into the router locally. I can also telnet into the router via the public WAN.
I have tried things like change the line vty which hasn't worked. Could it be something is blocking the incoming request via the public wan?
Here is my config...
Any help or suggestions would really help!?
hostname XX
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 XX
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-162863092
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-162863092
revocation-check none
rsakeypair TP-self-signed-162863092
!
!
crypto pki certificate chain TP-self-signed-162863092
certificate self-signed 01
XXX
XXX
XXX
quit
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.2
ip dhcp excluded-address 192.168.0.3
ip dhcp excluded-address 192.168.0.4
ip dhcp excluded-address 192.168.0.5
ip dhcp excluded-address 192.168.0.6
ip dhcp excluded-address 192.168.0.20
!
ip dhcp pool OVMOOR
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.0.1
!
!
!
no ip bootp server
no ip domain lookup
ip domain name XX-R.com
no ipv6 cef
!
!
license udi pid C881W-E-K9 sn FCZ192791VF
!
!
archive
log config
hidekeys
username admin privilege 15 password 0 XX
!
!
!
!
!
ip ssh port 2222 rotary 1
!
!
!
!
!
!
!
!
!
interface Tunnel0
no ip address
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface FastEthernet4
ip address XX.XX.XX.XX
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
shutdown
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static udp 192.168.0.3 999 interface FastEthernet4 21999
ip nat inside source static tcp 192.168.0.3 999 interface FastEthernet4 21999
ip nat inside source static tcp 192.168.0.3 88 interface FastEthernet4 2188
ip nat inside source static tcp 192.168.0.3 22 interface FastEthernet4 2122
ip nat inside source static udp 192.168.0.4 999 interface FastEthernet4 22999
ip nat inside source static tcp 192.168.0.4 999 interface FastEthernet4 22999
ip nat inside source static tcp 192.168.0.4 88 interface FastEthernet4 2288
ip nat inside source static tcp 192.168.0.4 22 interface FastEthernet4 2222
ip nat inside source static udp 192.168.0.2 4500 interface FastEthernet4 4500
ip nat inside source static udp 192.168.0.2 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.0.5 16992 interface FastEthernet4 16992
ip nat inside source static tcp 192.168.0.5 16993 interface FastEthernet4 16993
ip nat inside source static tcp 192.168.0.5 16994 interface FastEthernet4 16994
ip nat inside source static tcp 192.168.0.5 16995 interface FastEthernet4 16995
ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.0.6 16992 interface FastEthernet4 17992
ip nat inside source static tcp 192.168.0.6 16993 interface FastEthernet4 17993
ip nat inside source static tcp 192.168.0.6 16994 interface FastEthernet4 17994
ip nat inside source static tcp 192.168.0.6 16995 interface FastEthernet4 17995
ip nat inside source static tcp 192.168.0.6 5900 interface FastEthernet4 5901
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
logging trap debugging
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
password 7 XX
login local
rotary 1
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
04-22-2016 10:36 AM
It looks like you have a static NAT mapping, forwarding TCP 2222 to the internal server 192.168.0.4
ip nat inside source static tcp 192.168.0.4 22 interface FastEthernet4 2222
The router SSH server is also set for port 2222.
Either,
Change the NAT mapping from 2222 to something else
Or, change the router SSH port on the line 'ip ssh port 2222 rotary 1'
Regards,
Ben
04-22-2016 10:36 AM
It looks like you have a static NAT mapping, forwarding TCP 2222 to the internal server 192.168.0.4
ip nat inside source static tcp 192.168.0.4 22 interface FastEthernet4 2222
The router SSH server is also set for port 2222.
Either,
Change the NAT mapping from 2222 to something else
Or, change the router SSH port on the line 'ip ssh port 2222 rotary 1'
Regards,
Ben
04-22-2016 12:51 PM
Hi Ben,
Thanks for spotting this, school boy error!! Changed the rotary to 3333 and now ssh works from wan interface.
Thanks for the help :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide