ssh from outside problem

Unanswered Question
Mar 27th, 2008
User Badges:

Hi,


I cannot ssh to my router (878) from outside. I have an access-list on the outside vlan and I can see that it is being hit on the ssh entry, but it just times out. I can ssh from inside no problem.


Any ideas what could be wrong. I have PAT/interface overload for the IP address, but I don't see why that would be a problem as I commonly use this setup.


Any ideas would be very much appreciated.


Thanks,

J

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Thu, 03/27/2008 - 11:59
User Badges:
  • Silver, 250 points or more

could you drop the ACL and just try a telnet to verify that you can get to it that way?


Start with a basic set up and work from there. It is good to eliminate the simplest ways first before adding complexity.

paolo bevilacqua Thu, 03/27/2008 - 14:05
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Please copy here the ACL you're using for NAT.

jigsaw2026 Fri, 03/28/2008 - 08:55
User Badges:

I'm fairly sure that I dropped the ACL already - in any case I have logging on and nothing appears in the logs, and the relevant entry is being hit.


This is the ACL (sorry, had to blank out any identifying info, WAN interface in question is x.x.x.x)


access-list 101 permit udp host y.y.y.y host x.x.x.x eq non500-isakmp

access-list 101 permit udp host y.y.y.y host x.x.x.x eq isakmp

access-list 101 permit tcp host y.y.y.y host x.x.x.x eq 10000

access-list 101 permit esp host y.y.y.y host x.x.x.x

access-list 101 permit ahp host y.y.y.y host x.x.x.x

access-list 101 permit udp host b.b.b.b host x.x.x.x eq non500-isakmp

access-list 101 permit udp host b.b.b.b host x.x.x.x eq isakmp

access-list 101 permit tcp host b.b.b.b host x.x.x.x eq 10000

access-list 101 permit esp host b.b.b.b host x.x.x.x

access-list 101 permit ahp host b.b.b.b host x.x.x.x

access-list 101 permit ip 10.3.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 101 permit ip 172.20.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 101 permit ip 172.29.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 101 permit ip 10.11.0.0 0.0.255.255 10.3.0.0 0.0.255.255

access-list 101 permit ip 10.11.0.0 0.0.255.255 172.20.0.0 0.0.255.255

access-list 101 permit ip 10.11.0.0 0.0.255.255 172.29.0.0 0.0.255.255

access-list 101 permit tcp host a.a.a.a host x.x.x.x eq domain

access-list 101 permit udp host a.a.a.a host x.x.x.x eq domain

access-list 101 permit tcp host z.z.z.z host x.x.x.x eq domain

access-list 101 permit udp host z.z.z.z host x.x.x.x eq domain

access-list 101 permit tcp host a.a.a.a eq domain host x.x.x.x

access-list 101 permit udp host a.a.a.a eq domain host x.x.x.x

access-list 101 permit tcp host z.z.z.z eq domain host x.x.x.x

access-list 101 permit udp host z.z.z.z eq domain host x.x.x.x

access-list 101 permit icmp any host x.x.x.x echo-reply

access-list 101 permit icmp any host x.x.x.x time-exceeded

access-list 101 permit icmp any host x.x.x.x unreachable

access-list 101 permit tcp any host x.x.x.x eq 22

access-list 101 permit tcp any host x.x.x.x established

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log-input



THANKS!

paolo bevilacqua Fri, 03/28/2008 - 15:37
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, as requested above, please post the ACL used for NAT.

If it is simply "permit IP any any", you will need to change it to permitting the inside networks.


Hope this helps, please rate post if it does!

jigsaw2026 Mon, 03/31/2008 - 04:24
User Badges:

Thanks for your response.


Subnet is used:



access-list 111 remark nonat list

access-list 111 deny ip 10.11.0.0 0.0.255.255 10.3.0.0 0.0.255.255

access-list 111 deny ip 10.11.0.0 0.0.255.255 172.29.0.0 0.0.255.255

access-list 111 deny ip 10.11.0.0 0.0.255.255 172.20.0.0 0.0.255.255

access-list 111 permit ip 10.11.0.0 0.0.255.255 any


Also this is the same set up as we usually use with no problems.


Thanks,

J

Actions

This Discussion