<

SSH or Telnet to Cisco Routers

Published on
13,755 Points
7,555 Views
2 Endorsements
Last Modified:
Approved
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are instances when you cannot SSH/telnet to the external/WAN interface of the router but you can SSH/telnet from inside.

The problem is with Network Address Translation (NAT) and related Access Control List (ACL); your configutration needs to expressly permit such external access.

Consider this partial configuration:
interface fastethernet 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
 ip nat outside

interface fastethernet 0/1
 description LAN Interface
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

ip access-list extended NAT-LIST
 permit ip any any

ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

Open in new window

The partial configuration above will be sufficient to allow Internet access from PCs connected to the router's LAN.  It will also allow for network administrators to SSH or Telnet to routers from the LAN.  However, one will NOT be able to SSH/telnet to the router from the outside, over the Internet.

The problem (assuming that you want that capability) lies within Access Control List.
ip access-list extended NAT-LIST
permit ip any any

Open in new window

The permit any any line above translates all requests from the LAN as well as from the Internet to FastEthernet 0/0 IP Address, which in turn will break SSH/Telnet access to the router.

So, the question is:  How do you resolve this?  It is rather a simple fix.  All you need to do is replace the line...
     permit ip any any
...with...
     permit ip 10.10.10.0 0.0.0.255 any

When completed, your Access Control List should look like this:
ip access-list extended NAT-LIST
 permit ip 10.10.10.0 0.0.0.255 any

Open in new window

Of course, you will need to create crypto key if you use SSH and you will have to configure VTY to allow SSH/Telnet sessions.

Below is a correct partial configuration, that allows the external access we've been discussing:
username user privilege 15 password user123

interface fastethernet 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
 ip nat outside

interface fastethernet 0/1
 description LAN Interface
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

ip access-list extended NAT-LIST
 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

line vty 0 4
 login local
 transport input telnet

Open in new window

OR (for the final line)...
 transport input ssh

Open in new window


Hope this helps.
2
Enjoy this complimentary article view.

Get unlimited access to our entire library of technical procedures, guides, and tutorials written by certified industry professionals.

Get 7 days free
Click here to view the full article

Using this article for work? Experts Exchange can benefit your whole team.

Learn More
COLLABORATE WITH CERTIFIED PROFESSIONALS
Experts Exchange is a tech solutions provider where users receive personalized tech help from vetted certified professionals. These industry professionals also write and publish relevant articles on our site.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Learn from the best.