cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
804
Views
1
Helpful
7
Replies

ssh question

jseneca64
Level 1
Level 1

Hello,

I need to access a Linux server that sits behind an 871w router. I can ssh to the router from the server but cannot ssh to the router or server from the outside. Any idea where to start?

Thank you,

John

7 Replies 7

Edison Ortiz
Hall of Fame
Hall of Fame

You can start by posting the router config.

__

Edison.

I uploaded the config. The ip address of the server I need to ssh to is 10.0.1.99.

Thanks for your response,

John

ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22

Now from the outside, anyone connecting to the router FastEthernet 4

interface IP on port 22 will be re-direct to the Linux server, assuming

that host 10.0.1.10 is the IP address of the linux server

I made added the nat route but still no connection from the outside. Attached is my current running config. Am I missing something? My server IP is 10.0.1.99.

Thank you,

John

Please modify your ACL as such:

ip access-list extended Internet-inbound-ACL

permit udp any eq bootps any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit esp any any

permit tcp any any eq 22 log

deny ip any any log

That will ssh access from the outside.

CCIE Security

Made the changes and I can now ssh from the outside. Did I need the ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22 line added to the config? Thank you so much for your help!

John

you need both:

ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22

permit tcp any any eq 22 log

you can even ssh into your linux box on whatever port your specified

if you want preserve tcp port 22 to ssh into your router from the

outside. For example, you can do this

ip nat inside source static tcp 10.0.1.99 22 interface FastEthernet4 24

ip access-list extended Internet-inbound-ACL

deny ip any any log

permit tcp any any eq 24 log

permit tcp any any eq 22 log

deny ip any any log

Now you can ssh into your router on tcp port 22 and your Linux server

on tcp port 24. Putty, Teraterm or SecureCRT can do it rather easily.

CCIE Security

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: