SSH not connect remotely

Unanswered Question
Apr 16th, 2008
User Badges:

Hi everyone,

We have a Cisco router with SSH configured. If I am physically inside the LAN, I can SSH to it via the private IP, or alternatively via its WAN IP (provided by the DHCP of our ISP).

However I can't connect remotely using that WAN IP at all if I am not in the office LAN.

Why does it do that? Someone says NAT problem but I can't relate it.

All suggestions are welcomed, thank you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Wed, 04/16/2008 - 20:11
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What error do you get? Is it a timeout error after a long connection waiting period, or is it a quick connection refused error? Do you have any access-lists or firewall that would be blocking the external WAN IP? It would be helpful to see the configuration from the router.

trietgiang Wed, 04/16/2008 - 20:21
User Badges:

Thank you for your reply. It takes a long time and display the error. I can't replicate the fault now (will try later) but I think it is timeout error.

There is a firewall and an ACL on the WAN interface.

Oh SSH from remotely used to work. It stopped working since (I think) we put in VDPN. I may be wrong.

Here is the config.

Joe Clarke Wed, 04/16/2008 - 20:56
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Is the PPP interface always up, or will it go down if there is not interesting traffic? It looks like you have a client VPN configuration on this router. Can you create a VPN tunnel to it? If so, can you SSH to the router after establishing the VPN?

trietgiang Wed, 04/16/2008 - 20:59
User Badges:

Thank you jclarke,

- Yes the PPP interface is always up

- Yes I can create a VPN tunnel to the router

- Yes I can SSH to the router when I am in the VPN tunnel

Best regards,


Joe Clarke Thu, 04/17/2008 - 06:29
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It sounds like the SSH traffic may be filtered before it reaches this router. You might try creating another access-list that matches on your external source address. For example:

access-list 115 permit ip host x.x.x.x any

Where x.x.x.x is the IP address of the source which cannot connect to this router. Then run debug ip packet detail for this list:

debug ip packet detail 115

See if the SSH SYN is making it to the router at all.

sundar.palaniappan Fri, 04/18/2008 - 07:52
User Badges:
  • Green, 3000 points or more

To rule out NAT isn't causing this can you reconfigure your ACL like this and test.

access-list 100 deny ip

access-list 100 deny tcp any any eq ssh

access-list 100 permit ip any any




This Discussion