Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH not connect remotely

Hi everyone,

We have a Cisco router with SSH configured. If I am physically inside the LAN, I can SSH to it via the private IP 192.168.1.1, or alternatively via its WAN IP (provided by the DHCP of our ISP).

However I can't connect remotely using that WAN IP at all if I am not in the office LAN.

Why does it do that? Someone says NAT problem but I can't relate it.

All suggestions are welcomed, thank you.

Triet

6 REPLIES
Cisco Employee

Re: SSH not connect remotely

What error do you get? Is it a timeout error after a long connection waiting period, or is it a quick connection refused error? Do you have any access-lists or firewall that would be blocking the external WAN IP? It would be helpful to see the configuration from the router.

New Member

Re: SSH not connect remotely

Thank you for your reply. It takes a long time and display the error. I can't replicate the fault now (will try later) but I think it is timeout error.

There is a firewall and an ACL on the WAN interface.

Oh SSH from remotely used to work. It stopped working since (I think) we put in VDPN. I may be wrong.

Here is the config.

Cisco Employee

Re: SSH not connect remotely

Is the PPP interface always up, or will it go down if there is not interesting traffic? It looks like you have a client VPN configuration on this router. Can you create a VPN tunnel to it? If so, can you SSH to the router after establishing the VPN?

New Member

Re: SSH not connect remotely

Thank you jclarke,

- Yes the PPP interface is always up

- Yes I can create a VPN tunnel to the router

- Yes I can SSH to the router when I am in the VPN tunnel

Best regards,

Triet

Cisco Employee

Re: SSH not connect remotely

It sounds like the SSH traffic may be filtered before it reaches this router. You might try creating another access-list that matches on your external source address. For example:

access-list 115 permit ip host x.x.x.x any

Where x.x.x.x is the IP address of the source which cannot connect to this router. Then run debug ip packet detail for this list:

debug ip packet detail 115

See if the SSH SYN is making it to the router at all.

Re: SSH not connect remotely

To rule out NAT isn't causing this can you reconfigure your ACL like this and test.

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 100 deny tcp any any eq ssh

access-list 100 permit ip any any

HTH

Sundar

708
Views
0
Helpful
6
Replies
CreatePlease login to create content