cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4685
Views
0
Helpful
21
Replies

Port Forward ssh to internal network

costabunny
Level 1
Level 1

Hi (I am cisco newbie as I am a Solaris SCM by trade so forgive my lack of knowledge).

I have a Cisco 837 Router with ADSL (dynamic) configured on it. I have a solaris box and a linux box on the network (both listening to non-standard ssh ports) and want to access them from my office via PuTTY.

I have been unsuccessful in configuring the router to forward any requests from the outside to either of these machines on the inside. basically I want (for example) the outside request (I use the current IP using ddns) at port 10022 to be forwarded to the machine inside the network at 10.10.10.6:10022 - Sounds simple and my old Linksys had no problems with this. I have had our cisco guy from work spend an evenig trying to resolve it, but alas even he is flumoxed!

(all systems inside have static ips and all in one subnet).

Rachel (pulling hair out)

1 Accepted Solution

Accepted Solutions

Try with this. Obviously you need to put usernames and passwords...

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ARAGORN

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.244.192.66

ip name-server 195.244.192.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.244.192.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

View solution in original post

21 Replies 21

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

that would be:

ip nat source static tcp 10022 interface atm0 10022

Then boast NetPro's power to the coworker :)

Hope this helps, please rate post if it does!

I must possibly amend my post above, because if your ISP is using PPPoE, you should put "dialer0" instead of ATM0, and if it is using "bridged 1483", you should put BVI1.

Basically, you put the interface that gets a public IP address one way or another !

Ok, when I attempt to enter that line, IOS complains about the 'Invalid input detected ...' right at the 'source' part. Doing the 'ip nat ?' gives me the following options;

Stateful

inside

log

outside

pool

service

translation

(I have tried 'inside' - probably wrong, but it does not work anyways).

? confused here (IOS 12.2(13)ZH2) - the connection is PPPoA(AAL5MUX) Dynamic IP - ATM0 shows 'no ip address' and Dialer1 is 'ip address negotiated'..... weep

Hi Rachel,

your statement should be:

ip nat inside source static tcp PrivateIP 10022 interface dialer 1 extendable

And review the access-list in the Dialer 1 to permit this traffic.

Regards,

Olaf

Thanks - Unfortunately in my 'tinkering' I have hardened the router to the extent that it's not accepting my telnet, ssh or SDM connections from the office - not a biggie as I will fix that when I get home tonight and then try your suggested nat setting.

Cheers - will let you know how it works out.

Rachel

Correct, my post wasn't made in full control of typing evidently. But NetPros still rule :)

Ok I have control of my router back (will return to hardening it later).

I have this entry now

ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023

and access-list 106 permit tcp any eq 10023 any eq 10023 log

It still does not function (and I have no cisco guy tonight to help me) - (not doing bad as this is my first time with cisco kit) : )

You mention review the access list for Dialer1 - I am unsure as to what I need to add to that (or do I need a new rule) and how to ensure that it is applied to my NAT rule above?

any hints please?

Rachel

It would help if you can post a sanitized copy of the full router configuration.

Anyway can you modify the following entry in access list 106 to as follows and test.

access-list 106 permit tcp any any eq 10023 log

HTH

Sundar

:( sorry to be such a burden, but none of the above (and below) statements are working :(

Here is my config (sanitised):

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxx

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.x.x.66

ip name-server 195.x.x.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.x.x.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

ip access-group 100 in

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat pool sshforward 10.10.10.6 10.10.10.6 netmask 255.255.255.252

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 99 remark SDM_ACL Category=2

access-list 99 permit any log

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host ***.***.***.*** any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map forwardssh permit 10

match ip address 103

set ip next-hop 10.10.10.9

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 101 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

I can see now why my cisco guy was pulling his hair out last night lol

Hi,

You should have another stamente like:

ip nat inside source list 106 dialer1 overload

Correct ? That would be allowing access to internet from inside to outside.

if so please change ACL as:

no access-list 106

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

Hi Rachel,

Do you advice that your statements are for port 10023?

In your first post you talk about port 10022?

Anyway...

Can you post your running config?

# show running-config

In your interface dialer 1, you can see an entry:

ip access-group in

?

This number is the access-list that is applied on interface dialer 1.

You should copy your actual access-list from your running-config to notepad and insert an statement at beggining:

access-list permit tcp any any eq 10022

Now, copy all statements from notepad (with new insterted). Delete your actual access-list with:

(conf)# no access-list

and paste the clipboard checking that the last statement is inserted pressing Enter.

Regards,

Olaf

Try with this. Obviously you need to put usernames and passwords...

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ARAGORN

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.244.192.66

ip name-server 195.244.192.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.244.192.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

Hmmmm the plot thickens....

I have applied this config and the router has reloaded ok. I am still unable to reach my inside machine.

Upon nosing a little through your changes, I went to see what access-group 100 was and found that it does not exist on my router!

how on earth can I put it back in (or should I do a factory reset and then apply this config again?)

thanks (You guys are all ANGELS and uber-techs for replying so quick and having patience thus far) x x x

Rachel

I saw that no access-group is applied in dialer 1. Don't worry, security later.

Can you put the output of:

show ip nat translations

Can you access ssh to your server from the inside network at port 10022?

Regards,

Olaf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: