SSH not working from internet (Cisco 1941 router)

Answered Question
Feb 13th, 2012
User Badges:

Hi,

I have a Cisco 1941 router configured using Cisco Configuration Professional... SSH management works from the LAN IP 10.0.1.254 and 10.0.2.254

Also, SSH management works from the LAN using the external domain name which resolves to the public IP address.


The problem i have is if I try SSH from the internet to the public IP.. nothing happens. 


If anyone has any pointers on where/how to troubleshoot this, that would be appreaceted.

Also, I need some help setting up VNC passthough to a LAN workstation.


cisco1941#show config

Using 18498 out of 262136 bytes

!

! Last configuration change at 13:57:49 PCTime Tue Feb 14 2012 by admin

! NVRAM config last updated at 13:57:49 PCTime Tue Feb 14 2012 by admin

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco1941

!

boot-start-marker

boot system flash0:/c1900-universalk9-mz.SPA.151-3.T1.bin

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 xxx

enable password 7 xxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

!

clock timezone PCTime 10 0

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

ip multicast-routing

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.1.254

ip dhcp excluded-address 10.0.2.1 10.0.2.20

ip dhcp excluded-address 10.0.1.1 10.0.1.20

ip dhcp excluded-address 10.0.1.254

ip dhcp excluded-address 10.0.2.254

ip dhcp excluded-address 10.0.100.1 10.0.100.19

ip dhcp excluded-address 10.0.100.51 10.0.100.254

!        

ip dhcp pool mydhcp

   import all

   network 192.168.0.0 255.255.255.0

   update dns

   default-router 192.168.0.254

   dns-server 61.9.195.193 61.9.194.49

   domain-name alliedfusion.local

!

ip dhcp pool WLAN-pool1

   import all

   network 10.0.2.0 255.255.255.0

   domain-name alliedfusion.local

   dns-server 61.9.195.193 61.9.194.49

   default-router 10.0.2.254

!

ip dhcp pool LAN-pool1

   import all

   network 10.0.1.0 255.255.255.0

   domain-name alliedfusion.local

   dns-server 61.9.195.193 61.9.194.49

   default-router 10.0.1.254

!

ip dhcp pool Cisco1142AP

   host 10.0.2.1 255.255.255.0

   client-name Cisco1142AP

!

ip dhcp pool ccp-pool1

   network 10.0.100.0 255.255.255.0

   domain-name dmz.local

   default-router 10.0.100.254

!

!

no ip bootp server

ip domain name alliedfusion.local

ip name-server 61.9.195.193

ip name-server 61.9.194.49

ip port-map user-vnc port tcp 5900 list 4 description vnc-portmap

ip ddns update method ccp_ddns1

HTTP

  add http://xxx:@www.dyns.cx/postscript.php?username=username=cxxx&passwort=<h>&ip=<a>

!

no ip igmp snooping

!

multilink bundle-name authenticated

!

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com



parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com



parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com



crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-640030031

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-640030031

revocation-check none

rsakeypair TP-self-signed-640030031

!

crypto pki trustpoint tti

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-640030031

certificate self-signed 01 nvram:IOS-Self-Sig#3.cer

crypto pki certificate chain tti

license udi pid CISCO1941/K9 sn FHK1421759M

license boot module c1900 technology-package securityk9

license boot module c1900 technology-package datak9

license agent notify http://10.0.1.6:1941/clm/servlet/HttpListenServlet dummy dummy 1.0

!

!

username admin privilege 15 secret 5 xxx

!

redundancy

!

!

!

!

ip tcp synwait-time 10

no ip ftp passive

ip ssh version 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any ssh-in-out

match protocol ssh

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-all ccp-cls-ccp-inspect-1

match class-map ssh-in-out

match access-group name ssh-in-out

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any user-vnc

match protocol user-vnc

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect match-any ccp-dmz-protocols

match protocol http

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect match-all ccp-dmz-traffic

match access-group name dmz-traffic

match class-map ccp-dmz-protocols

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect user-vnc-allow

class type inspect user-vnc

  pass

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  allow

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  pass   

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect ccp-permit-dmzservice

class type inspect ccp-dmz-traffic

  inspect

class class-default

  drop

!

zone security dmz-zone

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

!

!

!

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description External interface$ETH-WAN$$FW_OUTSIDE$

ip dhcp client hostname Cisco1941

ip dhcp client update dns server none

ip ddns update ccp_ddns1

ip address dhcp client-id GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description internal interface$ES_LAN$$ETH-LAN$$FW_INSIDE$

ip address 192.168.0.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1/0

description Cisco1142 AP

switchport trunk native vlan 50

switchport mode trunk

vlan-id dot1q 50

  exit-vlan-config

!

!

interface GigabitEthernet0/1/1

switchport access vlan 10

!

interface GigabitEthernet0/1/2

switchport access vlan 10

!

interface GigabitEthernet0/1/3

switchport access vlan 100

!

interface GigabitEthernet0/1/4

description NAS#2 WLAN

switchport access vlan 50

duplex full

speed 1000

power inline never

vlan-id dot1q 50

  exit-vlan-config

!

!

interface GigabitEthernet0/1/5

description NAS#1 LAN

switchport access vlan 10

duplex full

speed 1000

power inline never

spanning-tree portfast

!

interface GigabitEthernet0/1/6

description NetCom Powerline

switchport access vlan 50

power inline never

spanning-tree portfast

!        

interface GigabitEthernet0/1/7

description Lounge and TV

switchport access vlan 50

power inline never

spanning-tree portfast

!

interface Virtual-Template1

description $FW_INSIDE$

ip unnumbered GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface Vlan10

description $FW_INSIDE$

ip address 10.0.1.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan50

description $FW_INSIDE$

ip address 10.0.2.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan100

description $FW_DMZ$

ip address 10.0.100.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security dmz-zone

!

router rip

passive-interface GigabitEthernet0/1

passive-interface Vlan1

passive-interface Vlan10

passive-interface Vlan50

network 10.0.0.0

network 192.168.0.0

no auto-summary

!

ip local pool SSLVPN_POOL1 172.16.1.1 172.16.1.50

ip forward-protocol nd

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

!

ip access-list extended Router-Access

permit tcp any any eq telnet

permit tcp any any eq 22

permit tcp any any eq 443

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

ip access-list extended dmz-traffic

remark CCP_ACL Category=1

permit ip any host 10.0.100.1

permit ip any host 10.0.100.2

ip access-list extended ssh-in-out

remark CCP_ACL Category=128

permit ip any any

!

logging esm config

logging trap debugging

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 10.0.2.0 0.0.0.255

access-list 2 permit 10.0.1.0 0.0.0.255

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 2 deny   any

access-list 3 remark CCP_ACL Category=1

access-list 3 permit 10.0.2.21

access-list 4 remark CCP_ACL Category=1

access-list 4 permit 10.0.2.21

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

!

no cdp run



!

!

!

!

!

!

control-plane

!

!

banner exec ^C

Welcome AlliedFusion (config exec)

^C

banner login ^CWelcome AlliedFusion (1941 login)



^C

banner motd ^C

Welcome AlliedFusion (config line)

^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

access-class 23 in

password 7 113E1C09141D06095D7C72

transport input telnet ssh

transport output telnet ssh

line vty 5 15

access-class 23 in

password 7 113E1C09141D06095D7C72

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

ntp source GigabitEthernet0/0

ntp master

ntp update-calendar

end

Correct Answer by cadet alain about 5 years 6 months ago

Hi,


can you add this command to confirm that ZBF policy from out to self is dropping the ssh reply  packets from the router :

ip inspect log drop-pkt


This is surely the culprit:

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop


if this is the case then you can do this:

class-map type inspect ssh-reply

match protocol ssh

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

  pass

class type inspect ssh-reply

pass


class class-default

  drop


Regards.


Alain

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cadet alain Tue, 02/14/2012 - 00:16
User Badges:
  • Purple, 4500 points or more

Hi,


can you add this command to confirm that ZBF policy from out to self is dropping the ssh reply  packets from the router :

ip inspect log drop-pkt


This is surely the culprit:

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop


if this is the case then you can do this:

class-map type inspect ssh-reply

match protocol ssh

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

  pass

class type inspect ssh-reply

pass


class class-default

  drop


Regards.


Alain

charlesjudd Tue, 02/14/2012 - 01:01
User Badges:

Thanks!

you're feedback solved the problem.


Great forum, and CCP is great for techies from other spheres.  Kudos Cisco.

Actions

This Discussion

Related Content