05-23-2006 08:00 AM - edited 03-09-2019 03:00 PM
Hello
I would like to SSH to the outside interface of our 2851 router.
SSH works fine on the internal interfaces.
I've setup the ACL's to allow access (1 applied to the line vty, and the other to the outside interface).
The config looks like the following:
line vty 0 4
access-class 102 in
logout-warning 30
length 0
transport input ssh
access-list 102 permit tcp any gt 1024 any eq 22
ip access-list extended Outside_ACL
permit tcp and gt 1024 any eq 22 log
Is there anything else I should be considering when configuring SSH on the outside interface?
TIA,
Michael
Solved! Go to Solution.
05-25-2006 06:12 AM
Michael
I notice that there is a crypto map on the interface (which I would have assumed from your previous comment that you were accessing the router via VPN) and I wonder if it is possible that the SSH incoming from your remote address is being considered as incoming VPN traffic by the crypto map. Could you attempt SSH to the outside address from some other source address and see if that changes things?
Or can you provide details of what is in the crypto map - and possibly think about putting something in the crypto map that would exclude SSH to the external interface.
HTH
Rick
05-23-2006 12:04 PM
Michael
I wonder if you are making things more complicated than they need to be. Both ACL 102 and Outside_ACL get very specific about restricting access to SSH. But with the vty configured with transport input ssh, this means that only SSH access will be allowed anyway.
Are you indicating in your post that SSH to internal interfaces works but SSH to the external interface does not? Is this from the same source attempting to SSH to internal and to external interfaces?
HTH
Rick
05-24-2006 12:47 AM
Hi Rick
Thanks for responding. I could open things up a little on the outside interface, and remove ACL 102, and see what happens - will give it a try.
I am actually trying to SSH from the same source, but I connect to the inside interface over a VPN tunnel (made to the outside interface). When I try and connect to the outside interface, I'm connecting over the Internet (and am therefore using a natted address). ICMP packets return OK...
Well I removed access-list 102, and added the following line to Outside_ACL:
permit ip any host xxx.xxx.xxx.xxx
Still didn't allow me to SSH to the outside interface.. any ideas?
05-24-2006 01:03 AM
Just had a thought - maybe there's something wrong with the interface config.. maybe IPS is blocking SSH?
interface GigabitEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$Outside (dirty) Interface
ip address xx.xx.xxx.xx 255.255.255.248
ip access-group Outside_ACL in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip ips sdm_ips_rule in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map SDM_CMAP_1
Will try editing my IPS rule, and see what happens.
05-25-2006 03:58 AM
Well removing IPS didn't have any effect, so I'm not sure what's blocking it....?
05-25-2006 06:12 AM
Michael
I notice that there is a crypto map on the interface (which I would have assumed from your previous comment that you were accessing the router via VPN) and I wonder if it is possible that the SSH incoming from your remote address is being considered as incoming VPN traffic by the crypto map. Could you attempt SSH to the outside address from some other source address and see if that changes things?
Or can you provide details of what is in the crypto map - and possibly think about putting something in the crypto map that would exclude SSH to the external interface.
HTH
Rick
05-30-2006 03:09 AM
Hi Rick
Thanks for your reply, I am using two remote addresses - one for the VPN tunnel, and one to try SSH.
When I try to SSH to the external interface, I log entry through the following ACL's:
Outside_ACL:
125 permit ip host xx.xx.xx.xx host xx.xx.xx.xx log (3 matches)
102 (line vty 0 4):
130 permit tcp any any (5 matches)
135 permit ip any any (**no matches)
On the SSH client I get a 'connection timed out', and if I 'debug ip ssh' I don't see any unusual traffic (only traffic that appears to be from my SSH connection to the inside interface).
I'll try SSH from another location, and see what that does.
Regards,
Michael
05-30-2006 07:20 AM
Michael
Have you looked into the possibility that the crypto map may be imacting your SSH traffic?
It might be worth adding a line at the bottom of access list 102 with deny ip any any log
This will give you a log message if the incoming SSH traffic is somehow not being permitted. If that still does not show what the problem is I would suggest removing the access class configuration from the vty (with permit ip any any you are not getting any protection from the access class anyway).
HTH
Rick
05-31-2006 02:30 AM
Hi Rick
Many thanks for you help - I found the problem. I enabled 'debug ip nat', and saw that return traffic from the outside interface was being translated to new port numbers (e.g. from 22->29, 29->30, 30->31 and so on...)
I hadn't included the required lines in my route-map ACL to stop traffic being NAT'd, from the outside interface to management IP's.
My config now has now been updated:
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
route-map SDM_RMAP_1 permit 1
match ip address InternetAccessNAT_ACL
ip access-list extended InternetAccessNAT_ACL
..
..
..
remark ** Don't NAT traffic between router and management addresses **
deny ip host xx.xx.xx.xx host xx.xx.xx.xx
deny ip host xx.xx.xx.xx host xx.xx.xx.xx
deny ip host xx.xx.xx.xx host xx.xx.xx.xx
deny ip host xx.xx.xx.xx host xx.xx.xx.xx
Thanks again for your help - I think I would have given up on this one (or at least shelved it for a while) if you didn't help with your suggestions.
Kind regards,
Michael.
05-31-2006 05:18 AM
Michael
I am glad that I was able to help you find the solution. And thank you for posting back to the forum indicating that the problem was solved. It makes the forum much more helpful when people can read about an issue and see what solved the issue.
I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide