Hello all,
I'm trying to SSH to a remote 891's PPPoE interface. The router is setup with VPN back to our main site, and I can SSH to the inside address through the VPN, but I need to re-IP the site so I have to be able to get to the outside IP.
PPPoE is setup for DHCP, but we have a reserved IP (4.4.4.166 in the below config), so it's always the same. IP's changed to protect the guilty.
Captures on the main site ASA shows the SSH packet leaving with IP 1.1.1.240, but no response. Debug logging on the 891 doesn't show any hits. Any suggestion appreciated!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname remote-rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 1048576
logging console errors
logging monitor critical
!
aaa new-model
!
!
aaa authentication login ACS group tacacs+ local
aaa authorization exec ACSAUTHOR group tacacs+ local
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST -5
clock summer-time CDT recurring
service-module wlan-ap 0 bootimage unified
!
!
no ip source-route
!
!
ip dhcp excluded-address 10.212.1.250
!
ip dhcp pool VLAN2-DHCP
network 10.212.1.0 255.255.255.0
default-router 10.212.1.1
dns-server 192.168.128.118
domain-name xxxx.com
!
ip dhcp pool VLAN4-DHCP
network 10.212.3.0 255.255.255.0
default-router 10.212.3.1
dns-server 192.168.128.116 192.168.128.118
domain-name xxxxx.com
!
!
ip cef
ip flow-cache timeout active 1
no ip domain lookup
ip domain name xxxx.xxx.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn xxxxxx
license accept end user agreement
!
!
!
!
ip ssh time-out 60
ip ssh version 2
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxx address 1.1.1.6
!
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
!
crypto map yyyyy-crypto-map 200 ipsec-isakmp
set peer 1.1.1.6
set transform-set aes256-sha
match address yyy-vpn
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
switchport access vlan 2
!
!
interface FastEthernet2
switchport access vlan 2
!
!
interface FastEthernet3
switchport access vlan 2
!
!
interface FastEthernet4
switchport access vlan 2
!
!
interface FastEthernet5
switchport access vlan 2
!
!
interface FastEthernet6
switchport access vlan 2
!
!
interface FastEthernet7
switchport access vlan 2
!
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0
description outside interface
ip address dhcp
ip access-group outside-acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan4
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 4
switchport mode trunk
!
!
interface Vlan1
no ip address
!
!
interface Vlan2
ip address 10.212.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan3
no ip address
!
!
interface Vlan4
ip address 10.212.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan5
no ip address
!
!
interface Vlan6
no ip address
!
!
interface Vlan7
no ip address
!
!
interface Async1
no ip address
encapsulation slip
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxxx.ca
ppp chap password xxxxxx
ppp pap sent-username xxxxx.ca password xxxxxx
no cdp enable
crypto map yyyy-crypto-map
!
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended yyyyy-vpn
permit ip 10.212.0.0 0.0.255.255 host 2.2.2.57
permit ip 10.212.0.0 0.0.255.255 172.16.0.0 0.15.255.255
permit ip 10.212.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 10.212.0.0 0.0.255.255 10.0.0.0 0.255.255.255
ip access-list extended outside-acl
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp 1.1.1.0 0.0.0.255 host 4.4.4.166 eq 22
permit gre any host 4.4.4.166
permit ahp any host 4.4.4.166
permit esp any host 4.4.4.166
permit udp any host 4.4.4.166 eq isakmp
permit udp any host 4.4.4.166 eq non500-isakmp
!
logging history informational
logging trap notifications
logging source-interface GigabitEthernet0
logging 192.168.160.77
logging 192.168.160.72
logging 192.168.128.37
logging 192.168.128.32
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 deny ip any 172.16.0.0 0.15.255.255
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
!
!
!
!
snmp-server community xxxxx RW
snmp-server community xxxxx RO
snmp-server location yyyyy, ww
snmp-server contact Help Desk 555
snmp-server host 192.168.160.72 xxxx
!
tacacs-server host 192.168.128.8
tacacs-server directed-request
tacacs-server key xxxxxx
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
exec-timeout 0 0
privilege level 15
authorization exec ACSAUTHOR
login authentication ACS
transport output none
line vty 0 4
exec-timeout 0 0
privilege level 15
password xxx
authorization exec ACSAUTHOR
login authentication ACS
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
authorization exec ACSAUTHOR
login authentication ACS
transport input ssh
!
scheduler max-task-time 5000
ntp server 192.168.0.4
end
