cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
379
Views
0
Helpful
5
Replies

ssh from outside problem

jigsaw2026
Level 1
Level 1

Hi,

I cannot ssh to my router (878) from outside. I have an access-list on the outside vlan and I can see that it is being hit on the ssh entry, but it just times out. I can ssh from inside no problem.

Any ideas what could be wrong. I have PAT/interface overload for the IP address, but I don't see why that would be a problem as I commonly use this setup.

Any ideas would be very much appreciated.

Thanks,

J

5 Replies 5

Rick Morris
Level 6
Level 6

could you drop the ACL and just try a telnet to verify that you can get to it that way?

Start with a basic set up and work from there. It is good to eliminate the simplest ways first before adding complexity.

paolo bevilacqua
Hall of Fame
Hall of Fame

Please copy here the ACL you're using for NAT.

I'm fairly sure that I dropped the ACL already - in any case I have logging on and nothing appears in the logs, and the relevant entry is being hit.

This is the ACL (sorry, had to blank out any identifying info, WAN interface in question is x.x.x.x)

access-list 101 permit udp host y.y.y.y host x.x.x.x eq non500-isakmp

access-list 101 permit udp host y.y.y.y host x.x.x.x eq isakmp

access-list 101 permit tcp host y.y.y.y host x.x.x.x eq 10000

access-list 101 permit esp host y.y.y.y host x.x.x.x

access-list 101 permit ahp host y.y.y.y host x.x.x.x

access-list 101 permit udp host b.b.b.b host x.x.x.x eq non500-isakmp

access-list 101 permit udp host b.b.b.b host x.x.x.x eq isakmp

access-list 101 permit tcp host b.b.b.b host x.x.x.x eq 10000

access-list 101 permit esp host b.b.b.b host x.x.x.x

access-list 101 permit ahp host b.b.b.b host x.x.x.x

access-list 101 permit ip 10.3.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 101 permit ip 172.20.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 101 permit ip 172.29.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 101 permit ip 10.11.0.0 0.0.255.255 10.3.0.0 0.0.255.255

access-list 101 permit ip 10.11.0.0 0.0.255.255 172.20.0.0 0.0.255.255

access-list 101 permit ip 10.11.0.0 0.0.255.255 172.29.0.0 0.0.255.255

access-list 101 permit tcp host a.a.a.a host x.x.x.x eq domain

access-list 101 permit udp host a.a.a.a host x.x.x.x eq domain

access-list 101 permit tcp host z.z.z.z host x.x.x.x eq domain

access-list 101 permit udp host z.z.z.z host x.x.x.x eq domain

access-list 101 permit tcp host a.a.a.a eq domain host x.x.x.x

access-list 101 permit udp host a.a.a.a eq domain host x.x.x.x

access-list 101 permit tcp host z.z.z.z eq domain host x.x.x.x

access-list 101 permit udp host z.z.z.z eq domain host x.x.x.x

access-list 101 permit icmp any host x.x.x.x echo-reply

access-list 101 permit icmp any host x.x.x.x time-exceeded

access-list 101 permit icmp any host x.x.x.x unreachable

access-list 101 permit tcp any host x.x.x.x eq 22

access-list 101 permit tcp any host x.x.x.x established

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log-input

THANKS!

Hi, as requested above, please post the ACL used for NAT.

If it is simply "permit IP any any", you will need to change it to permitting the inside networks.

Hope this helps, please rate post if it does!

Thanks for your response.

Subnet is used:

access-list 111 remark nonat list

access-list 111 deny ip 10.11.0.0 0.0.255.255 10.3.0.0 0.0.255.255

access-list 111 deny ip 10.11.0.0 0.0.255.255 172.29.0.0 0.0.255.255

access-list 111 deny ip 10.11.0.0 0.0.255.255 172.20.0.0 0.0.255.255

access-list 111 permit ip 10.11.0.0 0.0.255.255 any

Also this is the same set up as we usually use with no problems.

Thanks,

J

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: