SSH from the outside

Unanswered Question
Feb 3rd, 2009

I have problems with setting up SSH to the router and I checked the configuration couple of times but I can't find out what the probleem is.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router00

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 ***

!

aaa new-model

!

aaa authentication login default local

aaa authorization console

aaa authorization exec default local

!

aaa session-id common

!

resource policy

!

clock timezone CETDST 1

clock summer-time CETDST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.99

ip dhcp excluded-address 192.168.0.121 192.168.0.254

!

ip dhcp pool DHCP

network 192.168.0.0 255.255.255.0

default-router 192.168.0.250

dns-server 192.168.0.30

!

!

ip domain name ***.local

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh logging events

ip ssh version 2

ip inspect name FIREWALL cuseeme

ip inspect name FIREWALL ftp

ip inspect name FIREWALL h323

ip inspect name FIREWALL netshow

ip inspect name FIREWALL rcmd

ip inspect name FIREWALL realaudio

ip inspect name FIREWALL rtsp

ip inspect name FIREWALL smtp

ip inspect name FIREWALL sqlnet

ip inspect name FIREWALL streamworks

ip inspect name FIREWALL tftp

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL vdolive

ip inspect name FIREWALL icmp

ip inspect name FIREWALL dns

ip inspect name FIREWALL https

ip inspect name FIREWALL imap

ip inspect name FIREWALL pop3

!

username admin privilege 15 secret 5 *****

!

interface FastEthernet0

description to Epacity Network

bandwidth 3072

ip address 192.168.4.1 255.255.255.252

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

!

interface FastEthernet1

description to Internet

ip address [public-IP]

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly

duplex auto

speed auto

!

interface range FastEthernet2 - 9

!

interface Vlan1

ip address 192.168.0.250 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 FastEthernet1

ip route 192.168.1.0 255.255.255.0 FastEthernet0

ip route 192.168.2.0 255.255.255.0 FastEthernet0

ip route 192.168.3.0 255.255.255.0 FastEthernet0

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map nonat interface FastEthernet1 overload

!

access-list 104 remark ------------------------

access-list 104 remark + Access-list FastEthernet1 +

access-list 104 permit tcp any any eq 22

access-list 104 permit tcp any any eq 443

access-list 104 permit tcp any any eq smtp

access-list 104 permit tcp any any eq 1723

access-list 104 permit gre any any

access-list 104 permit esp any any

access-list 104 permit icmp any any unreachable

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any packet-too-big

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any traceroute

access-list 104 permit icmp any any administratively-prohibited

access-list 104 permit icmp any any echo

access-list 104 deny ip 10.0.0.0 0.255.255.255 any

access-list 104 deny ip 172.16.0.0 0.15.255.255 any

access-list 104 deny ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip 127.0.0.0 0.255.255.255 any

access-list 104 deny ip host 255.255.255.255 any

access-list 104 deny ip host 0.0.0.0 any

access-list 104 deny ip any any log

access-list 106 permit ip any any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ThaMaster Tue, 02/03/2009 - 05:20

!

route-map nonat permit 10

match ip address 106

!

line con 0

exec-timeout 15 0

logging synchronous

transport output all

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

exec-timeout 15 0

transport output all

line vty 0 4

exec-timeout 15 0

logging synchronous

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Tshi M Tue, 02/03/2009 - 08:53

what do you get with the command sh ssh and sh ip ssh

Mark Yeates Tue, 02/03/2009 - 09:06

Where are you trying to SSH from to the router? Have you generated an SSH key? Is there a specific error message that you are getting from the SSH client?

HTH,

Mark

P.S I would add "login local" under line vty 0 4 as well as configure an access list for VTY access.

ThaMaster Tue, 02/03/2009 - 10:41

I have tried to connect from SecureCRT but I will get the message that the server is unavailable, I also have tried Telnet but that will also not working correctly. The only thing what is working is a ping to the public. From inside I can do a telnet or SSH with no problems. I have also tried port forwarding en configure a correct access-list en put it on Interface fa1 but that will also not working.

Mark Yeates Tue, 02/03/2009 - 10:55

Are you trying to telnet or SSH to the inside IP address from the outside? You can just use the public IP address for outside management. Hopefully I am understanding your reply. If not please let me know.

Mark

Mark Yeates Tue, 02/03/2009 - 11:15

I was also thinking that you could test remote access by temporarily removing the IOS firewall from your outside interface. Then try to telnet or SSH to the router. If that turns out to be the issue then you can try to relax some of the IP inspect rules on the router.

ThaMaster Tue, 02/03/2009 - 11:16

No I am jusing the public IP addres to connect from a other location to the router. And would like to it with SSH but because I can't get it working I also tried to connect with Telnet and also tried to great a port forwarding for RDP to a server but all I try it wouldn't work.

Tshi M Tue, 02/03/2009 - 11:58

I agree with Mark that as a troubleshooting step, you should remove the firewall from the public interface and try to connect. Is there another device in front of this one?

regards,

ThaMaster Tue, 02/03/2009 - 12:08

Ok I will try it tommorow. And yes there is a router in front of this one but that router is fully open. And I have a public IP on the router where I have the problems so it can't be a forward problem.

Richard Burts Tue, 02/03/2009 - 14:54

Martijn

Before you remove the firewall I have a different suggestion which will have less impact on your security implementation (because I do not believe that your firewall is the problem).

I suggest that you change the way that you configure NAT. Your NAT configuration uses a route map which uses this access list:

access-list 106 permit ip any any

I suggest that you rewrite it to get away from the permit any any. I have seen situations where an any any in NAT prevented remote access. I am not familiar enough with your situation to say how it should be, but I would think that it should be a standard access list (not extended) and it should have permits for the various address ranges on the inside of your network.

I believe that the any any is causing your problem. Change the access list and let us know if it helps.

HTH

Rick

Actions

This Discussion