SSH not connect remotely

Unanswered Question
Apr 16th, 2008

Hi everyone,

We have a Cisco router with SSH configured. If I am physically inside the LAN, I can SSH to it via the private IP 192.168.1.1, or alternatively via its WAN IP (provided by the DHCP of our ISP).

However I can't connect remotely using that WAN IP at all if I am not in the office LAN.

Why does it do that? Someone says NAT problem but I can't relate it.

All suggestions are welcomed, thank you.

Triet

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 04/16/2008 - 20:11

What error do you get? Is it a timeout error after a long connection waiting period, or is it a quick connection refused error? Do you have any access-lists or firewall that would be blocking the external WAN IP? It would be helpful to see the configuration from the router.

trietgiang Wed, 04/16/2008 - 20:21

Thank you for your reply. It takes a long time and display the error. I can't replicate the fault now (will try later) but I think it is timeout error.

There is a firewall and an ACL on the WAN interface.

Oh SSH from remotely used to work. It stopped working since (I think) we put in VDPN. I may be wrong.

Here is the config.

Attachment: 
Joe Clarke Wed, 04/16/2008 - 20:56

Is the PPP interface always up, or will it go down if there is not interesting traffic? It looks like you have a client VPN configuration on this router. Can you create a VPN tunnel to it? If so, can you SSH to the router after establishing the VPN?

trietgiang Wed, 04/16/2008 - 20:59

Thank you jclarke,

- Yes the PPP interface is always up

- Yes I can create a VPN tunnel to the router

- Yes I can SSH to the router when I am in the VPN tunnel

Best regards,

Triet

Joe Clarke Thu, 04/17/2008 - 06:29

It sounds like the SSH traffic may be filtered before it reaches this router. You might try creating another access-list that matches on your external source address. For example:

access-list 115 permit ip host x.x.x.x any

Where x.x.x.x is the IP address of the source which cannot connect to this router. Then run debug ip packet detail for this list:

debug ip packet detail 115

See if the SSH SYN is making it to the router at all.

sundar.palaniappan Fri, 04/18/2008 - 07:52

To rule out NAT isn't causing this can you reconfigure your ACL like this and test.

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 100 deny tcp any any eq ssh

access-list 100 permit ip any any

HTH

Sundar

Actions

This Discussion