10-30-2013 04:23 PM
We just put in a Cisco 881 router everything is working great except I can't get SSH to work from outside the network. We want to be able to access the router at our client's site from our office. Do I need to allow our comcast public address on the incoming WAN interface ACL or set up an ACL for the vty lines? I'm able to access over SSH from inside their network so I have the initial SSH config set up I just can't get in from the outside.
So when I need to access from our office I would use Putty's SSH to the routers public IP on it's WAN interface and use my credentials I've set up.
Solved! Go to Solution.
10-31-2013 08:21 PM
Do you have an acl on the external interface that is limiting inbound traffic? If so, is it allowing ssh? Is there an access class defined on the VTys? If so does that Access list allow ssh from the appropriate external addresses?
Sent from Cisco Technical Support iPad App
10-31-2013 08:21 PM
Do you have an acl on the external interface that is limiting inbound traffic? If so, is it allowing ssh? Is there an access class defined on the VTys? If so does that Access list allow ssh from the appropriate external addresses?
Sent from Cisco Technical Support iPad App
11-10-2013 05:26 AM
Jeff has asked good questions. In addition I would suggest that posting the configuration (masking out public addresses, passwords, and any other sensitive information) might help us to identify the problem.
HTH
Rick
11-13-2013 09:10 AM
Here's the config right now. I'll post the ACL I think would work below. With SSH opened in the 101 ACL would I need a VTY ACL?
Building configuration...
Current configuration : 8698 bytes
!
! Last configuration change at 18:21:48 PCtime Mon Oct 28 2013
! NVRAM config last updated at 18:24:28 PCtime Mon Oct 28 2013
! NVRAM config last updated at 18:24:28 PCtime Mon Oct 28 2013
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 xxxxxxxxx
!
no aaa new-model
memory-size iomem 10
clock timezone PCtime -5 0
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.2.0 192.168.2.10
!
ip dhcp pool CEdhcpPool
network 192.168.2.0 255.255.255.0
domain-name xxxxxxx
default-router 192.168.2.1
dns-server 4.2.2.2 x.x.x.x
lease 2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip name-server x.x.x.x
ip inspect name CEfirewall tcp
ip inspect name CEfirewall udp
ip inspect name CEfirewall ftp
ip inspect name CEfirewall h323
ip inspect name CEfirewall icmp
ip inspect name CEfirewall netshow
ip inspect name CEfirewall rcmd
ip inspect name CEfirewall realaudio
ip inspect name CEfirewall rtsp
ip inspect name CEfirewall esmtp
ip inspect name CEfirewall sqlnet
ip inspect name CEfirewall streamworks
ip inspect name CEfirewall tftp
ip inspect name CEfirewall vdolive
no ipv6 cef
!
!
license udi pid CISCO881Wxxxxxxxxxxx sn xxxxxxxxxxx
!
!
username xxxxxxx privilege 15 secret 4 xxxxxxxxxxxxxxx
!
!
!
!
ip tcp synwait-time 10
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description xxxxx WAN
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CEfirewall out
ip virtual-reassembly in
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description xxxxxxxxxxxxx
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.2.9 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 x.x.x.x 2
!
access-list 1 remark Inside NAT
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark VLAN ACL
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host x.x.x.x eq domain any
access-list 101 permit udp host 4.2.2.2 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
line con 0
password 7 xxxxxxxxxxxxxxxxxxx
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
login
transport input telnet ssh
!
end
access-list 101 permit tcp ***Our Office Public IP*** 0.0.0.0 ***Client Office FE4 Public IP*** 0.0.0.0 eq 22
access-list 101 permit udp host x.x.x.x eq domain any
access-list 101 permit udp host 4.2.2.2 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any parameter-problem
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any ttl-exceeded
access-list 101 deny ip 0.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 169.254.0.0 0.0.255.255 any log-input
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 101 deny ip host 255.255.255.255 any log-input
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 deny icmp any any fragments
access-list 101 deny ip any any
11-13-2013 09:11 AM
Any other suggestions would be great too.
01-20-2015 11:34 AM
Did anyone get this figured out. I have multiple 881 routers out there with the same configuration and I have one I can't get to. SSH internal works fine. I've double checked the static nat. Added a Permit ip any any on the external port ACL.. removed the ACL from the interface.. upgraded router to the latest IOS and still nothing. When I try to ssh from the outside it doesn't even hit the router that I can see as I have debug ip ssh detail enable on the router with terminal monitor and nothing. its almost like the external nat is just not working... Any help on this?
Thanks,
Raul
11-13-2013 09:54 AM
I believe that this version of access list 101 is better than the one in the config that is posted. Certainly that version of the ACL had no permit for any inbound SSH and that prevented your connection. Adding a permit for your IP address to the router IP for TCP 22 should address this issue.
Some people might look at this and suggest that you should write a standard access list and use it as access-class in for the vty lines to control who has the ability to establish remote access sessions to the router. I do not know enough about the environment at that site to know whether it makes sense to add this or not. And seeing that most devices at that site will be getting dynamic addresses from DHCP it might be a challenge to determine which addresses should be permitted in the ACL. So I am inclined to think that controlling access by controlling who knows the login password would be sufficient.
I would have thought that for SSH you would have needed to configure login local on the vty lines. But if you have tested it from inside and SSH does work then I guess maybe you do not necessarily need login local.
HTH
Rick
01-11-2014 08:02 PM
In the configuration I don’t see any ACL applied under line vty, so that’s not blocking anything (It looks clean).
I want you try the following steps to find the problem:-
Ip access-list extended test
Permit ip any any log
!
Line vty 0 4
Login local
Access-class test in
That log statement will punt the vty traffic on CPU. So we will do software switching instead of hardware.
Once done please capture the output of show log and see if there is any message related to ssh..
01-12-2014 04:42 AM
One more question, were you able to do telnet from remote location?
-Amant
05-08-2020 02:48 AM
I got the same issue. At the first time, i can ssh via wan, 5 minutes later i reboot the router, and after that i never ssh again from wan (already remove any ACL, reboot many times). I can still ssh from LAN. What happen here ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide