Hi Rick

Thanks for responding. I could open things up a little on the outside interface, and remove ACL 102, and see what happens - will give it a try.

I am actually trying to SSH from the same source, but I connect to the inside interface over a VPN tunnel (made to the outside interface). When I try and connect to the outside interface, I'm connecting over the Internet (and am therefore using a natted address). ICMP packets return OK...

Well I removed access-list 102, and added the following line to Outside_ACL:

permit ip any host xxx.xxx.xxx.xxx

Still didn't allow me to SSH to the outside interface.. any ideas?

Just had a thought - maybe there's something wrong with the interface config.. maybe IPS is blocking SSH?

interface GigabitEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$Outside (dirty) Interface

ip address xx.xx.xxx.xx 255.255.255.248

ip access-group Outside_ACL in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect DEFAULT100 out

ip ips sdm_ips_rule in

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map SDM_CMAP_1

Will try editing my IPS rule, and see what happens.

Well removing IPS didn't have any effect, so I'm not sure what's blocking it....?

Hi Rick

Thanks for your reply, I am using two remote addresses - one for the VPN tunnel, and one to try SSH.

When I try to SSH to the external interface, I log entry through the following ACL's:

Outside_ACL:

125 permit ip host xx.xx.xx.xx host xx.xx.xx.xx log (3 matches)

102 (line vty 0 4):

130 permit tcp any any (5 matches)

135 permit ip any any (**no matches)

On the SSH client I get a 'connection timed out', and if I 'debug ip ssh' I don't see any unusual traffic (only traffic that appears to be from my SSH connection to the inside interface).

I'll try SSH from another location, and see what that does.

Regards,

Michael

Michael

Have you looked into the possibility that the crypto map may be imacting your SSH traffic?

It might be worth adding a line at the bottom of access list 102 with deny ip any any log

This will give you a log message if the incoming SSH traffic is somehow not being permitted. If that still does not show what the problem is I would suggest removing the access class configuration from the vty (with permit ip any any you are not getting any protection from the access class anyway).

HTH

Rick

Hi Rick

Many thanks for you help - I found the problem. I enabled 'debug ip nat', and saw that return traffic from the outside interface was being translated to new port numbers (e.g. from 22->29, 29->30, 30->31 and so on...)

I hadn't included the required lines in my route-map ACL to stop traffic being NAT'd, from the outside interface to management IP's.

My config now has now been updated:

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

route-map SDM_RMAP_1 permit 1

match ip address InternetAccessNAT_ACL

ip access-list extended InternetAccessNAT_ACL

..

..

..

remark ** Don't NAT traffic between router and management addresses **

deny ip host xx.xx.xx.xx host xx.xx.xx.xx

deny ip host xx.xx.xx.xx host xx.xx.xx.xx

deny ip host xx.xx.xx.xx host xx.xx.xx.xx

deny ip host xx.xx.xx.xx host xx.xx.xx.xx

Thanks again for your help - I think I would have given up on this one (or at least shelved it for a while) if you didn't help with your suggestions.

Kind regards,

Michael.

Michael

I am glad that I was able to help you find the solution. And thank you for posting back to the forum indicating that the problem was solved. It makes the forum much more helpful when people can read about an issue and see what solved the issue.

I encourage you to continue your participation in the forum.

HTH

Rick