SSH or Telnet to Cisco Routers

Paresh PatelNetwork Architect
Published:
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are instances when you cannot SSH/telnet to the external/WAN interface of the router but you can SSH/telnet from inside.

The problem is with Network Address Translation (NAT) and related Access Control List (ACL); your configutration needs to expressly permit such external access.

Consider this partial configuration:
interface fastethernet 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
 ip nat outside

interface fastethernet 0/1
 description LAN Interface
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

ip access-list extended NAT-LIST
 permit ip any any

ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

Open in new window

The partial configuration above will be sufficient to allow Internet access from PCs connected to the router's LAN.  It will also allow for network administrators to SSH or Telnet to routers from the LAN.  However, one will NOT be able to SSH/telnet to the router from the outside, over the Internet.

The problem (assuming that you want that capability) lies within Access Control List.
ip access-list extended NAT-LIST
permit ip any any

Open in new window

The permit any any line above translates all requests from the LAN as well as from the Internet to FastEthernet 0/0 IP Address, which in turn will break SSH/Telnet access to the router.

So, the question is:  How do you resolve this?  It is rather a simple fix.  All you need to do is replace the line...
     permit ip any any
...with...
     permit ip 10.10.10.0 0.0.0.255 any

When completed, your Access Control List should look like this:
ip access-list extended NAT-LIST
 permit ip 10.10.10.0 0.0.0.255 any

Open in new window

Of course, you will need to create crypto key if you use SSH and you will have to configure VTY to allow SSH/Telnet sessions.

Below is a correct partial configuration, that allows the external access we've been discussing:
username user privilege 15 password user123

interface fastethernet 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
 ip nat outside

interface fastethernet 0/1
 description LAN Interface
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

ip access-list extended NAT-LIST
 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

line vty 0 4
 login local
 transport input telnet

Open in new window

OR (for the final line)...
 transport input ssh

Open in new window


Hope this helps.
2
7,797 Views
Paresh PatelNetwork Architect

Comments (5)

Commented:
In order to setup SSH you also have to enable the AAA new model along with the creation of the device's RSA keys.
to rsaettel:

that is not fully correct. The part with RSA keys is correct but not the part with aaa-new model. SSH will work also without aaa-new model but only 1.9 version when you will to run the 2.0 version then you need to configure aaa-new model.

Marek
Paresh PatelNetwork Architect

Author

Commented:
The point of this article relates to NAT ACL.  It assumes that you have RSA key already created and aaa-nee model configured.

If your NAT ACL is from any source to any destination, router will not allow SSH/telnet access.
Yes I fully understand it - it is a good explanation.
The reply above was only a reaction to the comment from rsaettel.
Paresh PatelNetwork Architect

Author

Commented:
Understood.  Thanks.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community