01-30-2015 09:25 AM
Hello team, hope that someone can help me.
I have a scenario where I have a router (3845) connected to the internet over an ATM (PPPoA) with a static IP address, I can't access the router over the wan using SSH or Telnet, if I try over the LAN the connection are allowed. I'm attaching the configuration, please someone help me, I have no idea why is doing this:
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
security authentication failure rate 5 log
security passwords min-length 10
logging message-counter syslog
logging buffered 409600
logging monitor informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network default local
aaa authorization network groupauthor local
!
!
dot11 syslog
no ip source-route
ip cef
!
!
!
!
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
password encryption aes
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory reserve critical 4096
memory free low-watermark processor 20000
memory free low-watermark IO 20000
archive
log config
logging enable
logging size 200
hidekeys
path flash:/archived-config
maximum 14
write-memory
time-period 43200
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 WUOfETXT_ZSRNAbXIHADHFHGLH]KOY address 200.67.42.218 no-xauth
crypto isakmp key 6 LEB\U_LYHJdCXTKBFYAbdSN]SHeMaU address 201.155.234.72 no-xauth
!
crypto isakmp client configuration group VPN-CLIENT
key 6 ]]QPKBOPHFhIWdKE`DNeiCFIIDJFYfGCIAYhSMMDbg]cOBRVXfM
domain gruporom.com
pool VPN-CLIENT-POOL
acl 110
!
!
crypto ipsec transform-set DSLVPN esp-3des esp-md5-hmac
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set TS
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauthor
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
description < Enlace a G >
set peer 201.155.234.72
set transform-set DSLVPN
match address 101
crypto map VPN 20 ipsec-isakmp
description < Enlace a M >
set peer 200.67.42.218
set transform-set DSLVPN
match address 100
crypto map VPN 100 ipsec-isakmp dynamic dynmap
!
!
!
ip ssh version 2
!
class-map match-any copp-system-class-important
match access-group name copp-system-acl-cts
match access-group name copp-system-acl-glbp
match access-group name copp-system-acl-hsrp
match access-group name copp-system-acl-vrrp
match access-group name copp-system-acl-wccp
match access-group name copp-system-acl-icmp6-msgs
match access-group name copp-system-acl-pim-reg
class-map match-any copp-system-class-undesirable
match access-group name copp-system-acl-undesirable
class-map match-any copp-system-class-critical
match access-group name copp-system-acl-bgp
match access-group name copp-system-acl-bgp6
match access-group name copp-system-acl-eigrp
match access-group name copp-system-acl-igmp
match access-group name copp-system-acl-msdp
match access-group name copp-system-acl-ospf
match access-group name copp-system-acl-ospf6
match access-group name copp-system-acl-pim
match access-group name copp-system-acl-pim6
match access-group name copp-system-acl-rip
class-map match-all VOZ
match access-group name VOZ
class-map match-any copp-system-class-monitoring
match access-group name copp-system-acl-icmp
match access-group name copp-system-acl-icmp6
match access-group name copp-system-acl-traceroute
class-map match-any copp-system-class-management
match access-group name copp-system-acl-ftp
match access-group name copp-system-acl-ntp
match access-group name copp-system-acl-ntp6
match access-group name copp-system-acl-radius
match access-group name copp-system-acl-sftp
match access-group name copp-system-acl-snmp
match access-group name copp-system-acl-ssh
match access-group name copp-system-acl-ssh6
match access-group name copp-system-acl-tacacs
match access-group name copp-system-acl-telnet
match access-group name copp-system-acl-tftp
match access-group name copp-system-acl-tftp6
match access-group name copp-system-acl-radius6
match access-group name copp-system-acl-tacacs6
match access-group name copp-system-acl-telnet6
class-map match-any copp-system-class-normal
match access-group name copp-system-acl-dhcp
match protocol arp
!
!
policy-map QoS-VPN
class VOZ
priority 150
class class-default
fair-queue
random-detect
policy-map copp-system-policy
class copp-system-class-critical
class copp-system-class-important
class copp-system-class-management
class copp-system-class-normal
class copp-system-class-monitoring
class copp-system-class-undesirable
class class-default
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0
description < LAN >
ip address 192.168.1.249 255.255.255.0
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
hold-queue 100 in
hold-queue 100 out
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface ATM0/0/0
description < ATM >
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
atm restart timer 300
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname a5553685212
ppp chap password 7 10491B0A5747405C5A5C7A
ppp pap sent-username a5553685212 password 7 094B5C1A4B5545455D5454
ppp ipcp dns request accept
ppp ipcp route default
crypto map VPN
!
ip local pool VPN-CLIENT-POOL 192.168.10.10 192.168.10.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.252 21 201.155.59.28 21 extendable
ip nat inside source static tcp 192.168.1.252 25 201.155.59.28 25 extendable
ip nat inside source static tcp 192.168.1.252 53 201.155.59.28 53 extendable
ip nat inside source static udp 192.168.1.252 53 201.155.59.28 53 extendable
ip nat inside source static tcp 192.168.1.252 110 201.155.59.28 110 extendable
ip nat inside source static tcp 192.168.2.233 139 201.155.59.28 139 extendable
ip nat inside source static tcp 192.168.2.233 1723 201.155.59.28 1723 extendable
ip nat inside source static tcp 192.168.1.233 3389 201.155.59.28 3389 extendable
!
ip access-list extended VOZ
permit udp any any range 16384 37276
permit tcp any eq 1720 any
permit tcp any any eq 1720
ip access-list extended copp-system-acl-bgp
permit tcp any gt 1024 any eq bgp
permit tcp any eq bgp any gt 1024
ip access-list extended copp-system-acl-cts
permit tcp any any eq 64999
permit tcp any eq 64999 any
ip access-list extended copp-system-acl-dhcp
permit udp any eq bootpc any
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended copp-system-acl-eigrp
permit eigrp any any
ip access-list extended copp-system-acl-ftp
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any eq ftp-data any
permit tcp any eq ftp any
ip access-list extended copp-system-acl-glbp
permit udp any eq 3222 224.0.0.0 0.0.0.255 eq 3222
ip access-list extended copp-system-acl-hsrp
permit udp any 224.0.0.0 0.0.0.255 eq 1985
ip access-list extended copp-system-acl-icmp
permit icmp any any echo
permit icmp any any echo-reply
ip access-list extended copp-system-acl-igmp
permit igmp any 224.0.0.0 0.0.0.252
ip access-list extended copp-system-acl-msdp
permit tcp any gt 1024 any eq 639
permit tcp any eq 639 any gt 1024
ip access-list extended copp-system-acl-ntp
permit udp any any eq ntp
permit udp any eq ntp any
ip access-list extended copp-system-acl-ospf
permit ospf any any
ip access-list extended copp-system-acl-pim
permit pim any 224.0.0.0 0.0.0.255
permit udp any any eq pim-auto-rp
ip access-list extended copp-system-acl-pim-reg
permit pim any any
ip access-list extended copp-system-acl-radius
permit udp any any eq 1812
permit udp any any eq 1813
permit udp any any eq 1645
permit udp any any eq 1646
permit udp any eq 1812 any
permit udp any eq 1813 any
permit udp any eq 1645 any
permit udp any eq 1646 any
ip access-list extended copp-system-acl-rip
permit udp any 224.0.0.0 0.0.0.255 eq rip
ip access-list extended copp-system-acl-sftp
permit tcp any any eq 115
permit tcp any eq 115 any
ip access-list extended copp-system-acl-snmp
permit udp any any eq snmp
permit udp any any eq snmptrap
ip access-list extended copp-system-acl-ssh
permit tcp any any eq 22
permit tcp any eq 22 any
ip access-list extended copp-system-acl-tacacs
permit tcp any any eq tacacs
permit tcp any eq tacacs any
ip access-list extended copp-system-acl-telnet
permit tcp any any eq telnet
permit tcp any any eq 107
permit tcp any eq telnet any
permit tcp any eq 107 any
ip access-list extended copp-system-acl-tftp
permit udp any any eq tftp
permit udp any any eq 1758
permit udp any eq tftp any
permit udp any eq 1758 any
ip access-list extended copp-system-acl-traceroute
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
ip access-list extended copp-system-acl-undesirable
permit udp any any eq 1434
ip access-list extended copp-system-acl-vrrp
permit 112 any 224.0.0.0 0.0.0.255
ip access-list extended copp-system-acl-wccp
permit udp any eq 2048 any eq 2048
!
access-list 100 remark < VPN M >
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 remark < VPN G >
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 remark < Split Tunneling - VPN Policies >
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 115 permit ip host 192.168.1.215 any
access-list 115 permit ip 192.168.1.216 0.0.0.7 any
access-list 115 permit ip 192.168.1.224 0.0.0.7 any
access-list 115 permit ip 192.168.1.232 0.0.0.7 any
!
!
!
!
route-map NAT permit 10
description < NAT >
match ip address 115
match interface Dialer0
!
!
control-plane
service-policy input copp-system-policy
!
!
!
voice-port 0/1/0
connection plar 100
description a G
!
voice-port 0/1/1
connection plar 100
description a G
!
voice-port 0/1/2
connection plar 300
description a M
!
voice-port 0/1/3
connection plar 300
description a M
!
!
!
!
!
dial-peer voice 300 voip
description a M
destination-pattern 300
session target ipv4:200.67.42.218
ip qos dscp cs5 media
no vad
!
dial-peer voice 100 voip
description a G
destination-pattern 100
session target ipv4:201.155.234.72
ip qos dscp cs5 media
no vad
!
dial-peer voice 201 pots
description desde G
destination-pattern 200
port 0/1/1
!
dial-peer voice 401 pots
description desde M
destination-pattern 400
port 0/1/3
!
dial-peer voice 200 pots
description desde G
destination-pattern 200
port 0/1/0
!
dial-peer voice 400 pots
description desde M
destination-pattern 400
port 0/1/2
!
!
line con 0
location Console Port
logging synchronous
login authentication userauthen
history size 256
transport preferred ssh
transport output ssh
line aux 0
line vty 0 4
location VTY interface
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication userauthen
history size 256
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
line vty 5 15
location VTY interface
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication userauthen
history size 256
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler allocate 20000 1000
ntp authenticate
ntp trusted-key 1
ntp master 5
ntp server 200.23.51.102
end
Thanks in advance team!!!
02-03-2015 10:24 AM
Try remove vty statement and drop in a simple one for right now ...
See if that works ... then you can lock down more.
line vty 0 4
session-timeout 30
exec-timeout 30 0
password 7 temp
login
transport input all -> make sure this is present.
!
02-03-2015 10:27 AM
You have the steps to telnet from PUTTY into the LAN interface?
I see you stated you were able to complete that task.
I do not have a router present and wanted to give directions to client.
02-09-2015 04:07 PM
Unfortunately no, I use SecureCRT for MAC.
02-09-2015 04:07 PM
I tried with the same result. I have no idea why I can telntet/ssh using the LAN and no with WAN :S
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide