Solved: Re: SSH remote access

Andy Johnson · ‎10-30-2013

We just put in a Cisco 881 router everything is working great except I can't get SSH to work from outside the network. We want to be able to access the router at our client's site from our office. Do I need to allow our comcast public address on the incoming WAN interface ACL or set up an ACL for the vty lines? I'm able to access over SSH from inside their network so I have the initial SSH config set up I just can't get in from the outside.

So when I need to access from our office I would use Putty's SSH to the routers public IP on it's WAN interface and use my credentials I've set up.

Jeff Van Houten · ‎10-31-2013

Do you have an acl on the external interface that is limiting inbound traffic? If so, is it allowing ssh? Is there an access class defined on the VTys? If so does that Access list allow ssh from the appropriate external addresses?

Sent from Cisco Technical Support iPad App

View solution in original post

Jeff Van Houten · ‎10-31-2013

Do you have an acl on the external interface that is limiting inbound traffic? If so, is it allowing ssh? Is there an access class defined on the VTys? If so does that Access list allow ssh from the appropriate external addresses?

Sent from Cisco Technical Support iPad App

Richard Burts · ‎11-10-2013

Jeff has asked good questions. In addition I would suggest that posting the configuration (masking out public addresses, passwords, and any other sensitive information) might help us to identify the problem.

HTH

Rick

HTH

Rick

Andy Johnson · ‎11-13-2013

Here's the config right now. I'll post the ACL I think would work below. With SSH opened in the 101 ACL would I need a VTY ACL?

Building configuration...

Current configuration : 8698 bytes

!

! Last configuration change at 18:21:48 PCtime Mon Oct 28 2013

! NVRAM config last updated at 18:24:28 PCtime Mon Oct 28 2013

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname xxxxxxxx

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 4 xxxxxxxxx

!

no aaa new-model

memory-size iomem 10

clock timezone PCtime -5 0

no ip source-route

!

ip dhcp excluded-address 192.168.2.0 192.168.2.10

!

ip dhcp pool CEdhcpPool

network 192.168.2.0 255.255.255.0

domain-name xxxxxxx

default-router 192.168.2.1

dns-server 4.2.2.2 x.x.x.x

lease 2

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

ip name-server 4.2.2.2

ip name-server x.x.x.x

ip inspect name CEfirewall tcp

ip inspect name CEfirewall udp

ip inspect name CEfirewall ftp

ip inspect name CEfirewall h323

ip inspect name CEfirewall icmp

ip inspect name CEfirewall netshow

ip inspect name CEfirewall rcmd

ip inspect name CEfirewall realaudio

ip inspect name CEfirewall rtsp

ip inspect name CEfirewall esmtp

ip inspect name CEfirewall sqlnet

ip inspect name CEfirewall streamworks

ip inspect name CEfirewall tftp

ip inspect name CEfirewall vdolive

no ipv6 cef

!

license udi pid CISCO881Wxxxxxxxxxxx sn xxxxxxxxxxx

!

username xxxxxxx privilege 15 secret 4 xxxxxxxxxxxxxxx

!

ip tcp synwait-time 10

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description xxxxx WAN

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect CEfirewall out

ip virtual-reassembly in

duplex auto

speed auto

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

no ip address

!

interface Vlan1

description xxxxxxxxxxxxx

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static 192.168.2.9 interface FastEthernet4

ip route 0.0.0.0 0.0.0.0 x.x.x.x 2

!

access-list 1 remark Inside NAT

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 remark VLAN ACL

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 permit udp host x.x.x.x eq domain any

access-list 101 permit udp host 4.2.2.2 eq domain any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 192.168.2.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any

no cdp run

!

line con 0

password 7 xxxxxxxxxxxxxxxxxxx

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

privilege level 15

password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx

login

transport input telnet ssh

!

end

access-list 101 permit tcp ***Our Office Public IP*** 0.0.0.0 ***Client Office FE4 Public IP*** 0.0.0.0 eq 22

access-list 101 permit udp host x.x.x.x eq domain any

access-list 101 permit udp host 4.2.2.2 eq domain any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any net-unreachable

access-list 101 permit icmp any any host-unreachable

access-list 101 permit icmp any any port-unreachable

access-list 101 permit icmp any any parameter-problem

access-list 101 permit icmp any any packet-too-big

access-list 101 permit icmp any any administratively-prohibited

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any ttl-exceeded

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip 10.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip 169.254.0.0 0.0.255.255 any log-input

access-list 101 deny ip 172.16.0.0 0.15.255.255 any log-input

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log-input

access-list 101 deny ip host 255.255.255.255 any log-input

access-list 101 deny ip 224.0.0.0 15.255.255.255 any log-input

access-list 101 deny ip host 0.0.0.0 any log-input

access-list 101 deny icmp any any fragments

access-list 101 deny ip any any

Andy Johnson · ‎11-13-2013

Any other suggestions would be great too.

Raul Ricano · ‎01-20-2015

Did anyone get this figured out. I have multiple 881 routers out there with the same configuration and I have one I can't get to. SSH internal works fine. I've double checked the static nat. Added a Permit ip any any on the external port ACL.. removed the ACL from the interface.. upgraded router to the latest IOS and still nothing. When I try to ssh from the outside it doesn't even hit the router that I can see as I have debug ip ssh detail enable on the router with terminal monitor and nothing. its almost like the external nat is just not working... Any help on this?

Thanks,

Raul

Richard Burts · ‎11-13-2013

I believe that this version of access list 101 is better than the one in the config that is posted. Certainly that version of the ACL had no permit for any inbound SSH and that prevented your connection. Adding a permit for your IP address to the router IP for TCP 22 should address this issue.

Some people might look at this and suggest that you should write a standard access list and use it as access-class in for the vty lines to control who has the ability to establish remote access sessions to the router. I do not know enough about the environment at that site to know whether it makes sense to add this or not. And seeing that most devices at that site will be getting dynamic addresses from DHCP it might be a challenge to determine which addresses should be permitted in the ACL. So I am inclined to think that controlling access by controlling who knows the login password would be sufficient.

I would have thought that for SSH you would have needed to configure login local on the vty lines. But if you have tested it from inside and SSH does work then I guess maybe you do not necessarily need login local.

HTH

Rick

HTH

Rick

amsodhi · ‎01-11-2014

In the configuration I don’t see any ACL applied under line vty, so that’s not blocking anything (It looks clean).

I want you try the following steps to find the problem:-

Ip access-list extended test

Permit ip any any log

!

Line vty 0 4

Login local

Access-class test in

That log statement will punt the vty traffic on CPU. So we will do software switching instead of hardware.

Once done please capture the output of show log and see if there is any message related to ssh..

-Amant

amsodhi · ‎01-12-2014

One more question, were you able to do telnet from remote location?

-Amant

Ha Dao · ‎05-08-2020

I got the same issue. At the first time, i can ssh via wan, 5 minutes later i reboot the router, and after that i never ssh again from wan (already remove any ACL, reboot many times). I can still ssh from LAN. What happen here ?