<

SSH or Telnet to Cisco Routers

Published on
12,952 Points
6,752 Views
2 Endorsements
Last Modified:
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are instances when you cannot SSH/telnet to the external/WAN interface of the router but you can SSH/telnet from inside.

The problem is with Network Address Translation (NAT) and related Access Control List (ACL); your configutration needs to expressly permit such external access.

Consider this partial configuration:
interface fastethernet 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
 ip nat outside

interface fastethernet 0/1
 description LAN Interface
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

ip access-list extended NAT-LIST
 permit ip any any

ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

Open in new window

The partial configuration above will be sufficient to allow Internet access from PCs connected to the router's LAN.  It will also allow for network administrators to SSH or Telnet to routers from the LAN.  However, one will NOT be able to SSH/telnet to the router from the outside, over the Internet.

The problem (assuming that you want that capability) lies within Access Control List.
ip access-list extended NAT-LIST
permit ip any any

Open in new window

The permit any any line above translates all requests from the LAN as well as from the Internet to FastEthernet 0/0 IP Address, which in turn will break SSH/Telnet access to the router.

So, the question is:  How do you resolve this?  It is rather a simple fix.  All you need to do is replace the line...
     permit ip any any
...with...
     permit ip 10.10.10.0 0.0.0.255 any

When completed, your Access Control List should look like this:
ip access-list extended NAT-LIST
 permit ip 10.10.10.0 0.0.0.255 any

Open in new window

Of course, you will need to create crypto key if you use SSH and you will have to configure VTY to allow SSH/Telnet sessions.

Below is a correct partial configuration, that allows the external access we've been discussing:
username user privilege 15 password user123

interface fastethernet 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
 ip nat outside

interface fastethernet 0/1
 description LAN Interface
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

ip access-list extended NAT-LIST
 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

line vty 0 4
 login local
 transport input telnet

Open in new window

OR (for the final line)...
 transport input ssh

Open in new window


Hope this helps.
2
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:rsaettel
In order to setup SSH you also have to enable the AAA new model along with the creation of the device's RSA keys.
0
 
LVL 2

Expert Comment

by:nw-support
to rsaettel:

that is not fully correct. The part with RSA keys is correct but not the part with aaa-new model. SSH will work also without aaa-new model but only 1.9 version when you will to run the 2.0 version then you need to configure aaa-new model.

Marek
0
 
LVL 2

Author Comment

by:Paresh Patel
The point of this article relates to NAT ACL.  It assumes that you have RSA key already created and aaa-nee model configured.

If your NAT ACL is from any source to any destination, router will not allow SSH/telnet access.
0
 
LVL 2

Expert Comment

by:nw-support
Yes I fully understand it - it is a good explanation.
The reply above was only a reaction to the comment from rsaettel.
0
 
LVL 2

Author Comment

by:Paresh Patel
Understood.  Thanks.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month