ssh question

Unanswered Question
Mar 23rd, 2008
User Badges:

Hello,

I need to access a Linux server that sits behind an 871w router. I can ssh to the router from the server but cannot ssh to the router or server from the outside. Any idea where to start?

Thank you,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Edison Ortiz Sun, 03/23/2008 - 12:01
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You can start by posting the router config.


__


Edison.

jseneca64 Sun, 03/23/2008 - 13:02
User Badges:

I uploaded the config. The ip address of the server I need to ssh to is 10.0.1.99.


Thanks for your response,

John





Attachment: 
cisco24x7 Sun, 03/23/2008 - 13:58
User Badges:
  • Silver, 250 points or more

ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22


Now from the outside, anyone connecting to the router FastEthernet 4

interface IP on port 22 will be re-direct to the Linux server, assuming

that host 10.0.1.10 is the IP address of the linux server



jseneca64 Sun, 03/23/2008 - 17:10
User Badges:

I made added the nat route but still no connection from the outside. Attached is my current running config. Am I missing something? My server IP is 10.0.1.99.

Thank you,

John



cisco24x7 Sun, 03/23/2008 - 17:19
User Badges:
  • Silver, 250 points or more

Please modify your ACL as such:


ip access-list extended Internet-inbound-ACL

permit udp any eq bootps any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit esp any any

permit tcp any any eq 22 log

deny ip any any log


That will ssh access from the outside.


CCIE Security

jseneca64 Sun, 03/23/2008 - 17:55
User Badges:

Made the changes and I can now ssh from the outside. Did I need the ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22 line added to the config? Thank you so much for your help!

John

cisco24x7 Sun, 03/23/2008 - 18:18
User Badges:
  • Silver, 250 points or more

you need both:


ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22

permit tcp any any eq 22 log


you can even ssh into your linux box on whatever port your specified

if you want preserve tcp port 22 to ssh into your router from the

outside. For example, you can do this



ip nat inside source static tcp 10.0.1.99 22 interface FastEthernet4 24

ip access-list extended Internet-inbound-ACL

deny ip any any log

permit tcp any any eq 24 log

permit tcp any any eq 22 log

deny ip any any log


Now you can ssh into your router on tcp port 22 and your Linux server

on tcp port 24. Putty, Teraterm or SecureCRT can do it rather easily.


CCIE Security


Actions

This Discussion