02-03-2009 05:20 AM - edited 03-09-2019 10:00 PM
I have problems with setting up SSH to the router and I checked the configuration couple of times but I can't find out what the probleem is.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router00
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 ***
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone CETDST 1
clock summer-time CETDST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.121 192.168.0.254
!
ip dhcp pool DHCP
network 192.168.0.0 255.255.255.0
default-router 192.168.0.250
dns-server 192.168.0.30
!
!
ip domain name ***.local
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL netshow
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL smtp
ip inspect name FIREWALL sqlnet
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL tftp
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL icmp
ip inspect name FIREWALL dns
ip inspect name FIREWALL https
ip inspect name FIREWALL imap
ip inspect name FIREWALL pop3
!
username admin privilege 15 secret 5 *****
!
interface FastEthernet0
description to Epacity Network
bandwidth 3072
ip address 192.168.4.1 255.255.255.252
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
description to Internet
ip address [public-IP]
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly
duplex auto
speed auto
!
interface range FastEthernet2 - 9
!
interface Vlan1
ip address 192.168.0.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 192.168.1.0 255.255.255.0 FastEthernet0
ip route 192.168.2.0 255.255.255.0 FastEthernet0
ip route 192.168.3.0 255.255.255.0 FastEthernet0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet1 overload
!
access-list 104 remark ------------------------
access-list 104 remark + Access-list FastEthernet1 +
access-list 104 permit tcp any any eq 22
access-list 104 permit tcp any any eq 443
access-list 104 permit tcp any any eq smtp
access-list 104 permit tcp any any eq 1723
access-list 104 permit gre any any
access-list 104 permit esp any any
access-list 104 permit icmp any any unreachable
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any packet-too-big
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any traceroute
access-list 104 permit icmp any any administratively-prohibited
access-list 104 permit icmp any any echo
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 106 permit ip any any
02-03-2009 05:20 AM
!
route-map nonat permit 10
match ip address 106
!
line con 0
exec-timeout 15 0
logging synchronous
transport output all
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 15 0
transport output all
line vty 0 4
exec-timeout 15 0
logging synchronous
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
02-03-2009 08:53 AM
what do you get with the command sh ssh and sh ip ssh
02-03-2009 09:06 AM
Where are you trying to SSH from to the router? Have you generated an SSH key? Is there a specific error message that you are getting from the SSH client?
HTH,
Mark
P.S I would add "login local" under line vty 0 4 as well as configure an access list for VTY access.
02-03-2009 10:41 AM
I have tried to connect from SecureCRT but I will get the message that the server is unavailable, I also have tried Telnet but that will also not working correctly. The only thing what is working is a ping to the public. From inside I can do a telnet or SSH with no problems. I have also tried port forwarding en configure a correct access-list en put it on Interface fa1 but that will also not working.
02-03-2009 10:55 AM
Are you trying to telnet or SSH to the inside IP address from the outside? You can just use the public IP address for outside management. Hopefully I am understanding your reply. If not please let me know.
Mark
02-03-2009 11:15 AM
I was also thinking that you could test remote access by temporarily removing the IOS firewall from your outside interface. Then try to telnet or SSH to the router. If that turns out to be the issue then you can try to relax some of the IP inspect rules on the router.
02-03-2009 11:16 AM
No I am jusing the public IP addres to connect from a other location to the router. And would like to it with SSH but because I can't get it working I also tried to connect with Telnet and also tried to great a port forwarding for RDP to a server but all I try it wouldn't work.
02-03-2009 11:58 AM
I agree with Mark that as a troubleshooting step, you should remove the firewall from the public interface and try to connect. Is there another device in front of this one?
regards,
02-03-2009 12:08 PM
Ok I will try it tommorow. And yes there is a router in front of this one but that router is fully open. And I have a public IP on the router where I have the problems so it can't be a forward problem.
02-03-2009 02:54 PM
Martijn
Before you remove the firewall I have a different suggestion which will have less impact on your security implementation (because I do not believe that your firewall is the problem).
I suggest that you change the way that you configure NAT. Your NAT configuration uses a route map which uses this access list:
access-list 106 permit ip any any
I suggest that you rewrite it to get away from the permit any any. I have seen situations where an any any in NAT prevented remote access. I am not familiar enough with your situation to say how it should be, but I would think that it should be a standard access list (not extended) and it should have permits for the various address ranges on the inside of your network.
I believe that the any any is causing your problem. Change the access list and let us know if it helps.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: