Port Forward ssh to internal network

Answered Question
Jul 17th, 2007

Hi (I am cisco newbie as I am a Solaris SCM by trade so forgive my lack of knowledge).

I have a Cisco 837 Router with ADSL (dynamic) configured on it. I have a solaris box and a linux box on the network (both listening to non-standard ssh ports) and want to access them from my office via PuTTY.

I have been unsuccessful in configuring the router to forward any requests from the outside to either of these machines on the inside. basically I want (for example) the outside request (I use the current IP using ddns) at port 10022 to be forwarded to the machine inside the network at 10.10.10.6:10022 - Sounds simple and my old Linksys had no problems with this. I have had our cisco guy from work spend an evenig trying to resolve it, but alas even he is flumoxed!

(all systems inside have static ips and all in one subnet).

Rachel (pulling hair out)

I have this problem too.
0 votes
Correct Answer by olafmarcos about 9 years 4 months ago

Try with this. Obviously you need to put usernames and passwords...

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ARAGORN

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.244.192.66

ip name-server 195.244.192.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.244.192.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Paolo Bevilacqua Tue, 07/17/2007 - 15:40

Hi,

that would be:

ip nat source static tcp 10022 interface atm0 10022

Then boast NetPro's power to the coworker :)

Hope this helps, please rate post if it does!

Paolo Bevilacqua Tue, 07/17/2007 - 16:40

I must possibly amend my post above, because if your ISP is using PPPoE, you should put "dialer0" instead of ATM0, and if it is using "bridged 1483", you should put BVI1.

Basically, you put the interface that gets a public IP address one way or another !

costabunny Tue, 07/17/2007 - 22:22

Ok, when I attempt to enter that line, IOS complains about the 'Invalid input detected ...' right at the 'source' part. Doing the 'ip nat ?' gives me the following options;

Stateful

inside

log

outside

pool

service

translation

(I have tried 'inside' - probably wrong, but it does not work anyways).

? confused here (IOS 12.2(13)ZH2) - the connection is PPPoA(AAL5MUX) Dynamic IP - ATM0 shows 'no ip address' and Dialer1 is 'ip address negotiated'..... weep

olafmarcos Tue, 07/17/2007 - 23:53

Hi Rachel,

your statement should be:

ip nat inside source static tcp PrivateIP 10022 interface dialer 1 extendable

And review the access-list in the Dialer 1 to permit this traffic.

Regards,

Olaf

costabunny Wed, 07/18/2007 - 00:47

Thanks - Unfortunately in my 'tinkering' I have hardened the router to the extent that it's not accepting my telnet, ssh or SDM connections from the office - not a biggie as I will fix that when I get home tonight and then try your suggested nat setting.

Cheers - will let you know how it works out.

Rachel

Paolo Bevilacqua Wed, 07/18/2007 - 03:13

Correct, my post wasn't made in full control of typing evidently. But NetPros still rule :)

costabunny Wed, 07/18/2007 - 09:35

Ok I have control of my router back (will return to hardening it later).

I have this entry now

ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023

and access-list 106 permit tcp any eq 10023 any eq 10023 log

It still does not function (and I have no cisco guy tonight to help me) - (not doing bad as this is my first time with cisco kit) : )

You mention review the access list for Dialer1 - I am unsure as to what I need to add to that (or do I need a new rule) and how to ensure that it is applied to my NAT rule above?

any hints please?

Rachel

sundar.palaniappan Wed, 07/18/2007 - 09:47

It would help if you can post a sanitized copy of the full router configuration.

Anyway can you modify the following entry in access list 106 to as follows and test.

access-list 106 permit tcp any any eq 10023 log

HTH

Sundar

costabunny Wed, 07/18/2007 - 10:05

:( sorry to be such a burden, but none of the above (and below) statements are working :(

Here is my config (sanitised):

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxx

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.x.x.66

ip name-server 195.x.x.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.x.x.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

ip access-group 100 in

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat pool sshforward 10.10.10.6 10.10.10.6 netmask 255.255.255.252

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 99 remark SDM_ACL Category=2

access-list 99 permit any log

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host ***.***.***.*** any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map forwardssh permit 10

match ip address 103

set ip next-hop 10.10.10.9

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 101 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

I can see now why my cisco guy was pulling his hair out last night lol

Paolo Bevilacqua Wed, 07/18/2007 - 09:49

Hi,

You should have another stamente like:

ip nat inside source list 106 dialer1 overload

Correct ? That would be allowing access to internet from inside to outside.

if so please change ACL as:

no access-list 106

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

olafmarcos Wed, 07/18/2007 - 10:02

Hi Rachel,

Do you advice that your statements are for port 10023?

In your first post you talk about port 10022?

Anyway...

Can you post your running config?

# show running-config

In your interface dialer 1, you can see an entry:

ip access-group in

?

This number is the access-list that is applied on interface dialer 1.

You should copy your actual access-list from your running-config to notepad and insert an statement at beggining:

access-list permit tcp any any eq 10022

Now, copy all statements from notepad (with new insterted). Delete your actual access-list with:

(conf)# no access-list

and paste the clipboard checking that the last statement is inserted pressing Enter.

Regards,

Olaf

Correct Answer
olafmarcos Wed, 07/18/2007 - 10:19

Try with this. Obviously you need to put usernames and passwords...

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ARAGORN

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.244.192.66

ip name-server 195.244.192.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.244.192.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

costabunny Wed, 07/18/2007 - 10:38

Hmmmm the plot thickens....

I have applied this config and the router has reloaded ok. I am still unable to reach my inside machine.

Upon nosing a little through your changes, I went to see what access-group 100 was and found that it does not exist on my router!

how on earth can I put it back in (or should I do a factory reset and then apply this config again?)

thanks (You guys are all ANGELS and uber-techs for replying so quick and having patience thus far) x x x

Rachel

olafmarcos Wed, 07/18/2007 - 10:53

I saw that no access-group is applied in dialer 1. Don't worry, security later.

Can you put the output of:

show ip nat translations

Can you access ssh to your server from the inside network at port 10022?

Regards,

Olaf

costabunny Wed, 07/18/2007 - 10:58

show ip nat translations gives:

Pro Inside global Inside local Outside local Outside global

tcp 212.120.230.38:2008 10.10.10.2:2008 207.46.111.77:1863 207.46.111.77:1863

tcp 212.120.230.38:10023 10.10.10.6:10023 --- ---

tcp 212.120.230.38:2080 10.10.10.2:2080 72.14.217.91:80 72.14.217.91:80

Yes I have no problem logging into 10.10.10.6:10023 and 10.10.10.9:10022 from inside using PuTTY (the 10023 is the one I am most concerned with getting up)

Thanks :) heres hoping light will be shed...

olafmarcos Wed, 07/18/2007 - 11:04

And the server 10.10.10.6 can browse without problems?

Greetings,

costabunny Wed, 07/18/2007 - 11:11

hmmm never looked at that - Its a linux box that I use primarily as a console box/ssh gateway (meaning I used to ssh into it thru my old Linksys then ssh from that box to my solaris machines) - I dont have a gui on there so I havent tried browsing. A quick ping http://www.bbc.co.uk resulted in nada so I am checking its routes etc right now (tho it has no trouble in accessing my remote offices in London via the sw vpn) - odd probably just cant find the dns servers......)

I will check it out and be back in a mo

cheers

edit: yep now it can ping www.bbc.co.uk .....

still no connection from outside :(

costabunny Thu, 07/19/2007 - 01:43

Wow (and wierd) but I got to the office this morning and immediately ssh'd to my linux box at home :)

thanks for all your help guys, but I am somewhat curious as to why when I tested from home it doesnt work. (I admit I should have RDC'd to my work PC and tried from there but as I couldn't see it I thought I wasn't at that point.

I was using a putty session on my windows PC at home to ssh to the linux box via my external IP:10022 and it could not connect. Yet here at wotk I can connect.? Is there something in my config that is preventing the portforward from working from within my network when going out and back in again?

Anyways on to my EasyVPN next (hopefully I can get that up without to many hassles (connecting to a 3000 series)

Thanks again all of you for your paitence and advice - I will certainly be here with more questions as I do more things on my learning voyage with cisco

olafmarcos Thu, 07/19/2007 - 07:20

Ummmmm...

It should run without problems from RDC session to your work from home. I do everyday.

May be nat entries in the cache...

Try again from home and try to open SSH session with other server, not your home.

Regards,

costabunny Thu, 07/19/2007 - 09:32

Hi Just got in and yep I can VPN to the office, run up an RDC to my office PC and successfully SSH to my linux box here.

What I am still unable to do is fire up an ssh session from my home windows box (using either my current public IP or the DDNS url) to the linux box (Using the exact ssh session template as at work (I just copied it from there) ? bizzare or normal behaviour?

Anyhoos THANKS ALL X X X X X X X

(what a great bunch you are)

olafmarcos Thu, 07/19/2007 - 17:46

If you are trying to open a ssh session directly from home to your public address is normal. You can't access your internal servers using public address, unless you do other nats. But when you connect to your internal servers you should use internal ip addresses.

I thught you tried to open ssh session from office RDC connection.

Regards,

Actions

This Discussion