03-27-2008 03:49 AM - edited 03-03-2019 09:17 PM
Hi,
I cannot ssh to my router (878) from outside. I have an access-list on the outside vlan and I can see that it is being hit on the ssh entry, but it just times out. I can ssh from inside no problem.
Any ideas what could be wrong. I have PAT/interface overload for the IP address, but I don't see why that would be a problem as I commonly use this setup.
Any ideas would be very much appreciated.
Thanks,
J
03-27-2008 11:59 AM
could you drop the ACL and just try a telnet to verify that you can get to it that way?
Start with a basic set up and work from there. It is good to eliminate the simplest ways first before adding complexity.
03-27-2008 02:05 PM
Please copy here the ACL you're using for NAT.
03-28-2008 08:55 AM
I'm fairly sure that I dropped the ACL already - in any case I have logging on and nothing appears in the logs, and the relevant entry is being hit.
This is the ACL (sorry, had to blank out any identifying info, WAN interface in question is x.x.x.x)
access-list 101 permit udp host y.y.y.y host x.x.x.x eq non500-isakmp
access-list 101 permit udp host y.y.y.y host x.x.x.x eq isakmp
access-list 101 permit tcp host y.y.y.y host x.x.x.x eq 10000
access-list 101 permit esp host y.y.y.y host x.x.x.x
access-list 101 permit ahp host y.y.y.y host x.x.x.x
access-list 101 permit udp host b.b.b.b host x.x.x.x eq non500-isakmp
access-list 101 permit udp host b.b.b.b host x.x.x.x eq isakmp
access-list 101 permit tcp host b.b.b.b host x.x.x.x eq 10000
access-list 101 permit esp host b.b.b.b host x.x.x.x
access-list 101 permit ahp host b.b.b.b host x.x.x.x
access-list 101 permit ip 10.3.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 101 permit ip 172.20.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 101 permit ip 172.29.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 101 permit ip 10.11.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 permit ip 10.11.0.0 0.0.255.255 172.20.0.0 0.0.255.255
access-list 101 permit ip 10.11.0.0 0.0.255.255 172.29.0.0 0.0.255.255
access-list 101 permit tcp host a.a.a.a host x.x.x.x eq domain
access-list 101 permit udp host a.a.a.a host x.x.x.x eq domain
access-list 101 permit tcp host z.z.z.z host x.x.x.x eq domain
access-list 101 permit udp host z.z.z.z host x.x.x.x eq domain
access-list 101 permit tcp host a.a.a.a eq domain host x.x.x.x
access-list 101 permit udp host a.a.a.a eq domain host x.x.x.x
access-list 101 permit tcp host z.z.z.z eq domain host x.x.x.x
access-list 101 permit udp host z.z.z.z eq domain host x.x.x.x
access-list 101 permit icmp any host x.x.x.x echo-reply
access-list 101 permit icmp any host x.x.x.x time-exceeded
access-list 101 permit icmp any host x.x.x.x unreachable
access-list 101 permit tcp any host x.x.x.x eq 22
access-list 101 permit tcp any host x.x.x.x established
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log-input
THANKS!
03-28-2008 03:37 PM
Hi, as requested above, please post the ACL used for NAT.
If it is simply "permit IP any any", you will need to change it to permitting the inside networks.
Hope this helps, please rate post if it does!
03-31-2008 04:24 AM
Thanks for your response.
Subnet is used:
access-list 111 remark nonat list
access-list 111 deny ip 10.11.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 111 deny ip 10.11.0.0 0.0.255.255 172.29.0.0 0.0.255.255
access-list 111 deny ip 10.11.0.0 0.0.255.255 172.20.0.0 0.0.255.255
access-list 111 permit ip 10.11.0.0 0.0.255.255 any
Also this is the same set up as we usually use with no problems.
Thanks,
J
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: