Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port Forward ssh to internal network

Hi (I am cisco newbie as I am a Solaris SCM by trade so forgive my lack of knowledge).

I have a Cisco 837 Router with ADSL (dynamic) configured on it. I have a solaris box and a linux box on the network (both listening to non-standard ssh ports) and want to access them from my office via PuTTY.

I have been unsuccessful in configuring the router to forward any requests from the outside to either of these machines on the inside. basically I want (for example) the outside request (I use the current IP using ddns) at port 10022 to be forwarded to the machine inside the network at 10.10.10.6:10022 - Sounds simple and my old Linksys had no problems with this. I have had our cisco guy from work spend an evenig trying to resolve it, but alas even he is flumoxed!

(all systems inside have static ips and all in one subnet).

Rachel (pulling hair out)

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Port Forward ssh to internal network

Try with this. Obviously you need to put usernames and passwords...

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ARAGORN

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.244.192.66

ip name-server 195.244.192.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.244.192.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

21 REPLIES
Hall of Fame Super Gold

Re: Port Forward ssh to internal network

Hi,

that would be:

ip nat source static tcp 10022 interface atm0 10022

Then boast NetPro's power to the coworker :)

Hope this helps, please rate post if it does!

Hall of Fame Super Gold

Re: Port Forward ssh to internal network

I must possibly amend my post above, because if your ISP is using PPPoE, you should put "dialer0" instead of ATM0, and if it is using "bridged 1483", you should put BVI1.

Basically, you put the interface that gets a public IP address one way or another !

New Member

Re: Port Forward ssh to internal network

Ok, when I attempt to enter that line, IOS complains about the 'Invalid input detected ...' right at the 'source' part. Doing the 'ip nat ?' gives me the following options;

Stateful

inside

log

outside

pool

service

translation

(I have tried 'inside' - probably wrong, but it does not work anyways).

? confused here (IOS 12.2(13)ZH2) - the connection is PPPoA(AAL5MUX) Dynamic IP - ATM0 shows 'no ip address' and Dialer1 is 'ip address negotiated'..... weep

New Member

Re: Port Forward ssh to internal network

Hi Rachel,

your statement should be:

ip nat inside source static tcp PrivateIP 10022 interface dialer 1 extendable

And review the access-list in the Dialer 1 to permit this traffic.

Regards,

Olaf

New Member

Re: Port Forward ssh to internal network

Thanks - Unfortunately in my 'tinkering' I have hardened the router to the extent that it's not accepting my telnet, ssh or SDM connections from the office - not a biggie as I will fix that when I get home tonight and then try your suggested nat setting.

Cheers - will let you know how it works out.

Rachel

Hall of Fame Super Gold

Re: Port Forward ssh to internal network

Correct, my post wasn't made in full control of typing evidently. But NetPros still rule :)

New Member

Re: Port Forward ssh to internal network

Ok I have control of my router back (will return to hardening it later).

I have this entry now

ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023

and access-list 106 permit tcp any eq 10023 any eq 10023 log

It still does not function (and I have no cisco guy tonight to help me) - (not doing bad as this is my first time with cisco kit) : )

You mention review the access list for Dialer1 - I am unsure as to what I need to add to that (or do I need a new rule) and how to ensure that it is applied to my NAT rule above?

any hints please?

Rachel

Re: Port Forward ssh to internal network

It would help if you can post a sanitized copy of the full router configuration.

Anyway can you modify the following entry in access list 106 to as follows and test.

access-list 106 permit tcp any any eq 10023 log

HTH

Sundar

New Member

Re: Port Forward ssh to internal network

:( sorry to be such a burden, but none of the above (and below) statements are working :(

Here is my config (sanitised):

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxx

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.x.x.66

ip name-server 195.x.x.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.x.x.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

ip access-group 100 in

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat pool sshforward 10.10.10.6 10.10.10.6 netmask 255.255.255.252

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 99 remark SDM_ACL Category=2

access-list 99 permit any log

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host ***.***.***.*** any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map forwardssh permit 10

match ip address 103

set ip next-hop 10.10.10.9

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 101 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

I can see now why my cisco guy was pulling his hair out last night lol

Hall of Fame Super Gold

Re: Port Forward ssh to internal network

Hi,

You should have another stamente like:

ip nat inside source list 106 dialer1 overload

Correct ? That would be allowing access to internet from inside to outside.

if so please change ACL as:

no access-list 106

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

New Member

Re: Port Forward ssh to internal network

Hi Rachel,

Do you advice that your statements are for port 10023?

In your first post you talk about port 10022?

Anyway...

Can you post your running config?

# show running-config

In your interface dialer 1, you can see an entry:

ip access-group in

?

This number is the access-list that is applied on interface dialer 1.

You should copy your actual access-list from your running-config to notepad and insert an statement at beggining:

access-list permit tcp any any eq 10022

Now, copy all statements from notepad (with new insterted). Delete your actual access-list with:

(conf)# no access-list

and paste the clipboard checking that the last statement is inserted pressing Enter.

Regards,

Olaf

New Member

Re: Port Forward ssh to internal network

Try with this. Obviously you need to put usernames and passwords...

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ARAGORN

!

logging queue-limit 100

no logging buffered

enable secret 5 ********

!

username ******** privilege 15 password 7 ********

username ******** privilege 15 password 7 ********

username ******** privilege 15 secret 5 ********

username ******** privilege 15 secret 5 ********

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

ip subnet-zero

ip domain name middleearth.org

ip name-server 195.244.192.66

ip name-server 195.244.192.6

ip dhcp excluded-address 10.10.10.25

ip dhcp excluded-address 10.10.10.1 10.10.10.29

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.40 10.10.10.254

ip dhcp excluded-address 10.10.10.21

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 195.244.192.66

lease 0 2

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1400

hold-queue 100 out

!

interface ATM0

no ip address

no atm traffic-shaping

no atm cell-clumping-disable

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip flow ingress

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********@********.********

ppp chap password 7 ********

ppp pap sent-username ********@********.******** password 7 ********

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip http server

ip http access-class 1

no ip http secure-server

!

access-list 1 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=16

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

banner login ^C ****** Welcome to Middle Earth ******^C

banner motd ^C

Logged on to: ARAGORN.

This system is not for unauthorised users.

All access is logged.....

^C

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

New Member

Re: Port Forward ssh to internal network

Hmmmm the plot thickens....

I have applied this config and the router has reloaded ok. I am still unable to reach my inside machine.

Upon nosing a little through your changes, I went to see what access-group 100 was and found that it does not exist on my router!

how on earth can I put it back in (or should I do a factory reset and then apply this config again?)

thanks (You guys are all ANGELS and uber-techs for replying so quick and having patience thus far) x x x

Rachel

New Member

Re: Port Forward ssh to internal network

I saw that no access-group is applied in dialer 1. Don't worry, security later.

Can you put the output of:

show ip nat translations

Can you access ssh to your server from the inside network at port 10022?

Regards,

Olaf

New Member

Re: Port Forward ssh to internal network

show ip nat translations gives:

Pro Inside global Inside local Outside local Outside global

tcp 212.120.230.38:2008 10.10.10.2:2008 207.46.111.77:1863 207.46.111.77:1863

tcp 212.120.230.38:10023 10.10.10.6:10023 --- ---

tcp 212.120.230.38:2080 10.10.10.2:2080 72.14.217.91:80 72.14.217.91:80

Yes I have no problem logging into 10.10.10.6:10023 and 10.10.10.9:10022 from inside using PuTTY (the 10023 is the one I am most concerned with getting up)

Thanks :) heres hoping light will be shed...

New Member

Re: Port Forward ssh to internal network

And the server 10.10.10.6 can browse without problems?

Greetings,

New Member

Re: Port Forward ssh to internal network

hmmm never looked at that - Its a linux box that I use primarily as a console box/ssh gateway (meaning I used to ssh into it thru my old Linksys then ssh from that box to my solaris machines) - I dont have a gui on there so I havent tried browsing. A quick ping http://www.bbc.co.uk resulted in nada so I am checking its routes etc right now (tho it has no trouble in accessing my remote offices in London via the sw vpn) - odd probably just cant find the dns servers......)

I will check it out and be back in a mo

cheers

edit: yep now it can ping www.bbc.co.uk .....

still no connection from outside :(

New Member

Re: Port Forward ssh to internal network

Wow (and wierd) but I got to the office this morning and immediately ssh'd to my linux box at home :)

thanks for all your help guys, but I am somewhat curious as to why when I tested from home it doesnt work. (I admit I should have RDC'd to my work PC and tried from there but as I couldn't see it I thought I wasn't at that point.

I was using a putty session on my windows PC at home to ssh to the linux box via my external IP:10022 and it could not connect. Yet here at wotk I can connect.? Is there something in my config that is preventing the portforward from working from within my network when going out and back in again?

Anyways on to my EasyVPN next (hopefully I can get that up without to many hassles (connecting to a 3000 series)

Thanks again all of you for your paitence and advice - I will certainly be here with more questions as I do more things on my learning voyage with cisco

New Member

Re: Port Forward ssh to internal network

Ummmmm...

It should run without problems from RDC session to your work from home. I do everyday.

May be nat entries in the cache...

Try again from home and try to open SSH session with other server, not your home.

Regards,

New Member

Re: Port Forward ssh to internal network

Hi Just got in and yep I can VPN to the office, run up an RDC to my office PC and successfully SSH to my linux box here.

What I am still unable to do is fire up an ssh session from my home windows box (using either my current public IP or the DDNS url) to the linux box (Using the exact ssh session template as at work (I just copied it from there) ? bizzare or normal behaviour?

Anyhoos THANKS ALL X X X X X X X

(what a great bunch you are)

New Member

Re: Port Forward ssh to internal network

If you are trying to open a ssh session directly from home to your public address is normal. You can't access your internal servers using public address, unless you do other nats. But when you connect to your internal servers you should use internal ip addresses.

I thught you tried to open ssh session from office RDC connection.

Regards,

396
Views
0
Helpful
21
Replies