Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1270
Views
0
Helpful
4
Replies

SSH nor Telnet allowed over WAN

payala
Level 1
Level 1

‎01-30-2015 09:25 AM

Hello team, hope that someone can help me.

 

I have a scenario where I have a router (3845) connected to the internet over an ATM (PPPoA) with a static IP address, I can't access the router over the wan using SSH or Telnet, if I try over the LAN the connection are allowed. I'm attaching the configuration, please someone help me, I have no idea why is doing this:

 

service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
security authentication failure rate 5 log
security passwords min-length 10
logging message-counter syslog
logging buffered 409600
logging monitor informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network default local 
aaa authorization network groupauthor local 
!
!         
dot11 syslog
no ip source-route
ip cef
!
!
!
!
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
password encryption aes
voice-card 0
!
!
!
!
!
!
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory reserve critical 4096
memory free low-watermark processor 20000
memory free low-watermark IO 20000
archive
 log config
  logging enable
  logging size 200
  hidekeys
 path flash:/archived-config
 maximum 14
 write-memory
 time-period 43200

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key 6 WUOfETXT_ZSRNAbXIHADHFHGLH]KOY address 200.67.42.218 no-xauth
crypto isakmp key 6 LEB\U_LYHJdCXTKBFYAbdSN]SHeMaU address 201.155.234.72 no-xauth
!
crypto isakmp client configuration group VPN-CLIENT
 key 6 ]]QPKBOPHFhIWdKE`DNeiCFIIDJFYfGCIAYhSMMDbg]cOBRVXfM
 domain gruporom.com
 pool VPN-CLIENT-POOL
 acl 110
!
!
crypto ipsec transform-set DSLVPN esp-3des esp-md5-hmac 
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set TS 
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauthor
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp 
 description < Enlace a G >
 set peer 201.155.234.72
 set transform-set DSLVPN 
 match address 101
crypto map VPN 20 ipsec-isakmp 
 description < Enlace a M >
 set peer 200.67.42.218
 set transform-set DSLVPN 
 match address 100
crypto map VPN 100 ipsec-isakmp dynamic dynmap 
!
!
!
ip ssh version 2
!
class-map match-any copp-system-class-important
 match access-group name copp-system-acl-cts
 match access-group name copp-system-acl-glbp
 match access-group name copp-system-acl-hsrp
 match access-group name copp-system-acl-vrrp
 match access-group name copp-system-acl-wccp
 match access-group name copp-system-acl-icmp6-msgs
 match access-group name copp-system-acl-pim-reg
class-map match-any copp-system-class-undesirable
 match access-group name copp-system-acl-undesirable
class-map match-any copp-system-class-critical
 match access-group name copp-system-acl-bgp
 match access-group name copp-system-acl-bgp6
 match access-group name copp-system-acl-eigrp
 match access-group name copp-system-acl-igmp
 match access-group name copp-system-acl-msdp
 match access-group name copp-system-acl-ospf
 match access-group name copp-system-acl-ospf6
 match access-group name copp-system-acl-pim
 match access-group name copp-system-acl-pim6
 match access-group name copp-system-acl-rip
class-map match-all VOZ
 match access-group name VOZ
class-map match-any copp-system-class-monitoring
 match access-group name copp-system-acl-icmp
 match access-group name copp-system-acl-icmp6
 match access-group name copp-system-acl-traceroute
class-map match-any copp-system-class-management
 match access-group name copp-system-acl-ftp
 match access-group name copp-system-acl-ntp
 match access-group name copp-system-acl-ntp6
 match access-group name copp-system-acl-radius
 match access-group name copp-system-acl-sftp
 match access-group name copp-system-acl-snmp
 match access-group name copp-system-acl-ssh
 match access-group name copp-system-acl-ssh6
 match access-group name copp-system-acl-tacacs
 match access-group name copp-system-acl-telnet
 match access-group name copp-system-acl-tftp
 match access-group name copp-system-acl-tftp6
 match access-group name copp-system-acl-radius6
 match access-group name copp-system-acl-tacacs6
 match access-group name copp-system-acl-telnet6
class-map match-any copp-system-class-normal
 match access-group name copp-system-acl-dhcp
 match protocol arp
!
!
policy-map QoS-VPN
 class VOZ
    priority 150
 class class-default
    fair-queue
     random-detect
policy-map copp-system-policy
 class copp-system-class-critical
 class copp-system-class-important
 class copp-system-class-management
 class copp-system-class-normal
 class copp-system-class-monitoring
 class copp-system-class-undesirable
 class class-default
!
!
!
!
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0
 description < LAN >
 ip address 192.168.1.249 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip accounting output-packets
 ip nbar protocol-discovery
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
 hold-queue 100 in
 hold-queue 100 out
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface ATM0/0/0
 description < ATM >
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 atm restart timer 300
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip mtu 1492
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1450
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname a5553685212
 ppp chap password 7 10491B0A5747405C5A5C7A
 ppp pap sent-username a5553685212 password 7 094B5C1A4B5545455D5454
 ppp ipcp dns request accept
 ppp ipcp route default
 crypto map VPN
!
ip local pool VPN-CLIENT-POOL 192.168.10.10 192.168.10.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.252 21 201.155.59.28 21 extendable
ip nat inside source static tcp 192.168.1.252 25 201.155.59.28 25 extendable
ip nat inside source static tcp 192.168.1.252 53 201.155.59.28 53 extendable
ip nat inside source static udp 192.168.1.252 53 201.155.59.28 53 extendable
ip nat inside source static tcp 192.168.1.252 110 201.155.59.28 110 extendable
ip nat inside source static tcp 192.168.2.233 139 201.155.59.28 139 extendable
ip nat inside source static tcp 192.168.2.233 1723 201.155.59.28 1723 extendable
ip nat inside source static tcp 192.168.1.233 3389 201.155.59.28 3389 extendable
!
ip access-list extended VOZ
 permit udp any any range 16384 37276
 permit tcp any eq 1720 any
 permit tcp any any eq 1720
ip access-list extended copp-system-acl-bgp
 permit tcp any gt 1024 any eq bgp
 permit tcp any eq bgp any gt 1024
ip access-list extended copp-system-acl-cts
 permit tcp any any eq 64999
 permit tcp any eq 64999 any
ip access-list extended copp-system-acl-dhcp
 permit udp any eq bootpc any
 permit udp any eq bootps any
 permit udp any any eq bootpc
 permit udp any any eq bootps
ip access-list extended copp-system-acl-eigrp
 permit eigrp any any
ip access-list extended copp-system-acl-ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq ftp
 permit tcp any eq ftp-data any
 permit tcp any eq ftp any
ip access-list extended copp-system-acl-glbp
 permit udp any eq 3222 224.0.0.0 0.0.0.255 eq 3222
ip access-list extended copp-system-acl-hsrp
 permit udp any 224.0.0.0 0.0.0.255 eq 1985
ip access-list extended copp-system-acl-icmp
 permit icmp any any echo
 permit icmp any any echo-reply
ip access-list extended copp-system-acl-igmp
 permit igmp any 224.0.0.0 0.0.0.252
ip access-list extended copp-system-acl-msdp
 permit tcp any gt 1024 any eq 639
 permit tcp any eq 639 any gt 1024
ip access-list extended copp-system-acl-ntp
 permit udp any any eq ntp
 permit udp any eq ntp any
ip access-list extended copp-system-acl-ospf
 permit ospf any any
ip access-list extended copp-system-acl-pim
 permit pim any 224.0.0.0 0.0.0.255
 permit udp any any eq pim-auto-rp
ip access-list extended copp-system-acl-pim-reg
 permit pim any any
ip access-list extended copp-system-acl-radius
 permit udp any any eq 1812
 permit udp any any eq 1813
 permit udp any any eq 1645
 permit udp any any eq 1646
 permit udp any eq 1812 any
 permit udp any eq 1813 any
 permit udp any eq 1645 any
 permit udp any eq 1646 any
ip access-list extended copp-system-acl-rip
 permit udp any 224.0.0.0 0.0.0.255 eq rip
ip access-list extended copp-system-acl-sftp
 permit tcp any any eq 115
 permit tcp any eq 115 any
ip access-list extended copp-system-acl-snmp
 permit udp any any eq snmp
 permit udp any any eq snmptrap
ip access-list extended copp-system-acl-ssh
 permit tcp any any eq 22
 permit tcp any eq 22 any
ip access-list extended copp-system-acl-tacacs
 permit tcp any any eq tacacs
 permit tcp any eq tacacs any
ip access-list extended copp-system-acl-telnet
 permit tcp any any eq telnet
 permit tcp any any eq 107
 permit tcp any eq telnet any
 permit tcp any eq 107 any
ip access-list extended copp-system-acl-tftp
 permit udp any any eq tftp
 permit udp any any eq 1758
 permit udp any eq tftp any
 permit udp any eq 1758 any
ip access-list extended copp-system-acl-traceroute
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
ip access-list extended copp-system-acl-undesirable
 permit udp any any eq 1434
ip access-list extended copp-system-acl-vrrp
 permit 112 any 224.0.0.0 0.0.0.255
ip access-list extended copp-system-acl-wccp
 permit udp any eq 2048 any eq 2048
!
access-list 100 remark < VPN M >
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 remark < VPN G >
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 remark < Split Tunneling - VPN Policies >
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 115 deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 115 permit ip host 192.168.1.215 any
access-list 115 permit ip 192.168.1.216 0.0.0.7 any
access-list 115 permit ip 192.168.1.224 0.0.0.7 any
access-list 115 permit ip 192.168.1.232 0.0.0.7 any
!
!
!
!
route-map NAT permit 10
 description < NAT >
 match ip address 115
 match interface Dialer0
!
!
control-plane
 service-policy input copp-system-policy
!
!
!
voice-port 0/1/0
 connection plar 100
 description a G
!
voice-port 0/1/1
 connection plar 100
 description a G
!
voice-port 0/1/2
 connection plar 300
 description a M
!
voice-port 0/1/3
 connection plar 300
 description a M
!
!
!
!
!
dial-peer voice 300 voip
 description a M
 destination-pattern 300
 session target ipv4:200.67.42.218
 ip qos dscp cs5 media
 no vad
!
dial-peer voice 100 voip
 description a G
 destination-pattern 100
 session target ipv4:201.155.234.72
 ip qos dscp cs5 media
 no vad
!
dial-peer voice 201 pots
 description desde G
 destination-pattern 200
 port 0/1/1
!
dial-peer voice 401 pots
 description desde M
 destination-pattern 400
 port 0/1/3
!         
dial-peer voice 200 pots
 description desde G
 destination-pattern 200
 port 0/1/0
!
dial-peer voice 400 pots
 description desde M
 destination-pattern 400
 port 0/1/2
!
!
line con 0
 location Console Port
 logging synchronous
 login authentication userauthen
 history size 256
 transport preferred ssh
 transport output ssh
line aux 0
line vty 0 4
 location VTY interface
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login authentication userauthen
 history size 256
 transport preferred ssh
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 location VTY interface
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login authentication userauthen
 history size 256
 transport preferred ssh
 transport input telnet ssh
 transport output telnet ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler allocate 20000 1000
ntp authenticate
ntp trusted-key 1
ntp master 5
ntp server 200.23.51.102
end

 

 

Thanks in advance team!!!

Labels:
0 Helpful
4 Replies 4

anthonyg2879
Level 1
Level 1

‎02-03-2015 10:24 AM

Try remove vty statement and drop in a simple one for right now ...

See if that works ... then you can lock down more.


line vty 0 4
session-timeout 30
exec-timeout 30 0
password 7 temp
login
transport input all  -> make sure this is present.
!

 

 

0 Helpful

anthonyg2879
Level 1
Level 1
In response to anthonyg2879

‎02-03-2015 10:27 AM

You have the steps to telnet from PUTTY into the LAN interface?

I see you stated you were able to complete that task.

I do not have a router present and wanted to give directions to client.

 

0 Helpful

payala
Level 1
Level 1
In response to anthonyg2879

‎02-09-2015 04:07 PM

Unfortunately no, I use SecureCRT for MAC.

0 Helpful

payala
Level 1
Level 1
In response to anthonyg2879

‎02-09-2015 04:07 PM

I tried with the same result. I have no idea why I can telntet/ssh using the LAN and no with WAN :S

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents