Im seeing some strange behavior from a router which I have just configured. Before I left the site, I tested for the ability to remotely connect to the router using SSH from a pocket PP. It passed.
Now I am back at my office and can still connect from the same pocket PC, but cannot connect from the office network using SSH.
Ive attached the config, which clearly shows that I allow connections to the WAN interfaces on port 22.
Any ideas what may be denying me the ability to connect?
I see in the inbound access list that you permit tcp port 22 (SSH) to two specific hosts (which I assume are the two outward facing interfaces but can not be sure because of your shielding of the addresses). And I see that the deny any any at the bottom of the access list includes the log parameter. So I would suggest that you connect to the router via SSH from the pocket PC, enable terminal monitor, and attempt SSH access from an office PC. If for some reason you are being denied by the last deny statement you should see the log record and be able to discover why it did not match the permit statement. I would also suggest that you do show access-list PSAcl and SBAcl before and after the test and make sure that none of the other deny statements (which do not have the log parameter) have accumulated any fresh hits.
There are a couple of other possibilities to consider. Some of these possibilities are related to routing. I assume that the pocket PC is addressed differently than the PCs in the office. I wonder if the connectivity is different. Can you verify that the office PC can ping the remote router? And can the remote router ping the office PC?
I also suggest that you test SSH from the office PC to both of the outside interfaces. I wonder if there is a possibility that it might work through one but not the other.
Try these suggestions and let us know what happens.
Thanks for the quick feedback.
The other strange behavior is that I am not able to ping from my office PC, but I can ping from the Pocket PC.
From the router itself, I cant ping either the office address or the pocket pc address. Im sure that the office address is pingable
Seems the pocket PC has an ip which is somehow not being blocked, where others are?
The fact that the office PC can not ping but the pocket PC can ping is very helpful information. It indicates that the problem with SSH is much more likely an issue with IP connectivity than it is to be a configuration issue (such as access lists).
It seems likely that either your packets from the office PC are not getting to the remote router or the response from the remote router is not getting back to you. There are several things that I would suggest to investigate this:
- connect to the remote router with the pocket PC, enable terminal monitor, turn on debug ip icmp, attempt ping from the office PC. If the ping gets there you should get debug output. (remember to turn off debug when you have completed testing)
- do the same thing the other way - turn on debug ip icmp on the router for your office, attempt to ping from the remote router, look for debug output.
- it might be helpful to do traceroute from your office PC to the remote router and from the remote router to your office PC and see what the path looks like and perhaps identify where traffic stops.
It seems pretty obvious but I will ask anyway - are you sure that there are not access lists or firewalls in the office network that would interfere with this traffic?
Thanks again for the quick response.
Im a little limited by the fact that I dont have a cisco router in the office, but Im also sure that I am not using any access lists either.
Nonetheless, I do have another site where I can carry out these tests between 2 remotes. Ive also tried to connect using S?SH from these other sites, so that is why I had previously narrowed it down to something in this remote router config.
Here is the output from a tracrt on an office client machine. Makes me think its a problem with the remote ISP since the packets are not finding their way back after hitting the remote address. What do you think?
H:\>tracert -d 184.108.40.206
Tracing route to 220.127.116.11 over a maximum of 30 hops
1 6 ms 6 ms 10 ms 18.104.22.168
2 8 ms 7 ms 7 ms 22.214.171.124
3 7 ms 8 ms 7 ms 126.96.36.199
4 8 ms 7 ms 8 ms 188.8.131.52
5 7 ms 8 ms 12 ms 184.108.40.206
6 8 ms 8 ms 7 ms 220.127.116.11
7 11 ms 9 ms 7 ms 18.104.22.168
8 16 ms 15 ms 16 ms 22.214.171.124
9 16 ms 16 ms 14 ms 126.96.36.199
10 14 ms 13 ms 13 ms 188.8.131.52
11 16 ms 15 ms 14 ms 184.108.40.206
12 14 ms 15 ms 16 ms 220.127.116.11
13 22 ms 22 ms 21 ms 18.104.22.168
14 21 ms 21 ms 22 ms 22.214.171.124
15 21 ms 20 ms 21 ms 126.96.36.199
16 27 ms 26 ms 25 ms 188.8.131.52
17 26 ms 27 ms 25 ms 184.108.40.206
18 30 ms 32 ms 28 ms 220.127.116.11
19 584 ms 591 ms 657 ms 18.104.22.168
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
I am not sure that whether you have a cisco router for the network connection at the office makes a great deal of difference.
The results of the tracert are a bit odd. The response at #19 of:
19 584 ms 591 ms 657 ms 22.214.171.124
would seem to indicate that you had reached the destination. I would expect the tracert to stop at that point, but it did not. It would be nice to know just what kind of response the PC did receive.
Can you conduct the test that I suggested to access the remote router via the pocket PC, turn on debug ip icmp, enable terminal monitor, attempt to ping the remote router, and look for debug output?
I agree it looks odd.
I did as you suggested and saw no debug output related to the pings that I generated here at the office.
Are you able to ping the address 126.96.36.199? Does a traceroute from your location look the same/similar?
If you can ping/tracert to it, then I am suspecting that the problems I am having may be related to the private network here at the office. Would that make sensee? My reasoning is that it seems that it is only from this network that I am unable to ping or SSH to the device. I used a ping test at http://www.tellurian.com/scripts/tools/ping.asp to confirm this.
Whats odd is that this is a client device which I typically configure to be 'network dissimilar' from any other network so that I dont run into problems like this. In this case, though, I do have a VPN tunnel (not currently up) with a private address on the far end that is thte same as the private addresses in my office network (192.168.0.0/24). Could this be the reason that I cannot get to the device ?
I attempted to ping 188.8.131.52 and the ping failed. I then did a traceroute to that address and got response that was very similar to what you posted. There were 3 responses from 184.108.40.206 with a large increase in latency between the second and third set of responses, and then responses that look like the traceroute was timing out or getting no response. That is quite odd and I am not sure what is going on. The only time I have seen anything similar to this was when a firewall (or Intrusion Detection) was intercepting traffic and generating responses.