Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ssh question

Hello,

I need to access a Linux server that sits behind an 871w router. I can ssh to the router from the server but cannot ssh to the router or server from the outside. Any idea where to start?

Thank you,

John

7 REPLIES
Hall of Fame Super Bronze

Re: ssh question

You can start by posting the router config.

__

Edison.

New Member

Re: ssh question

I uploaded the config. The ip address of the server I need to ssh to is 10.0.1.99.

Thanks for your response,

John

Silver

Re: ssh question

ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22

Now from the outside, anyone connecting to the router FastEthernet 4

interface IP on port 22 will be re-direct to the Linux server, assuming

that host 10.0.1.10 is the IP address of the linux server

New Member

Re: ssh question

I made added the nat route but still no connection from the outside. Attached is my current running config. Am I missing something? My server IP is 10.0.1.99.

Thank you,

John

Silver

Re: ssh question

Please modify your ACL as such:

ip access-list extended Internet-inbound-ACL

permit udp any eq bootps any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit esp any any

permit tcp any any eq 22 log

deny ip any any log

That will ssh access from the outside.

CCIE Security

New Member

Re: ssh question

Made the changes and I can now ssh from the outside. Did I need the ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22 line added to the config? Thank you so much for your help!

John

Silver

Re: ssh question

you need both:

ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet4 22

permit tcp any any eq 22 log

you can even ssh into your linux box on whatever port your specified

if you want preserve tcp port 22 to ssh into your router from the

outside. For example, you can do this

ip nat inside source static tcp 10.0.1.99 22 interface FastEthernet4 24

ip access-list extended Internet-inbound-ACL

deny ip any any log

permit tcp any any eq 24 log

permit tcp any any eq 22 log

deny ip any any log

Now you can ssh into your router on tcp port 22 and your Linux server

on tcp port 24. Putty, Teraterm or SecureCRT can do it rather easily.

CCIE Security

155
Views
1
Helpful
7
Replies
CreatePlease to create content