SSH or Telnet to Cisco Routers

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are instances when you cannot SSH/telnet to the external/WAN interface of the router but you can SSH/telnet from inside.

The problem is with Network Address Translation (NAT) and related Access Control List (ACL); your configutration needs to expressly permit such external access.

Consider this partial configuration:

interface fastethernet 0/0
                       description WAN Interface
                       ip address 172.16.1.1 255.255.255.0
                       ip nat outside
                      
                      interface fastethernet 0/1
                       description LAN Interface
                       ip address 10.10.10.1 255.255.255.0
                       ip nat inside
                      
                      ip access-list extended NAT-LIST
                       permit ip any any
                      
                      ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

Select all Open in new window

The partial configuration above will be sufficient to allow Internet access from PCs connected to the router's LAN.  It will also allow for network administrators to SSH or Telnet to routers from the LAN.  However, one will NOT be able to SSH/telnet to the router from the outside, over the Internet.

The problem (assuming that you want that capability) lies within Access Control List.

ip access-list extended NAT-LIST
                      permit ip any any

Select all Open in new window

The permit any any line above translates all requests from the LAN as well as from the Internet to FastEthernet 0/0 IP Address, which in turn will break SSH/Telnet access to the router.

So, the question is:  How do you resolve this?  It is rather a simple fix.  All you need to do is replace the line...
     permit ip any any
...with...
     permit ip 10.10.10.0 0.0.0.255 any

When completed, your Access Control List should look like this:

ip access-list extended NAT-LIST
                       permit ip 10.10.10.0 0.0.0.255 any

Select all Open in new window

Of course, you will need to create crypto key if you use SSH and you will have to configure VTY to allow SSH/Telnet sessions.

Below is a correct partial configuration, that allows the external access we've been discussing:

username user privilege 15 password user123
                      
                      interface fastethernet 0/0
                       description WAN Interface
                       ip address 172.16.1.1 255.255.255.0
                       ip nat outside
                      
                      interface fastethernet 0/1
                       description LAN Interface
                       ip address 10.10.10.1 255.255.255.0
                       ip nat inside
                      
                      ip access-list extended NAT-LIST
                       permit ip 10.10.10.0 0.0.0.255 any
                      
                      ip nat inside source list NAT-THIS interface fastethernet 0/0 overload
                      
                      line vty 0 4
                       login local
                       transport input telnet

Select all Open in new window

OR (for the final line)...

 transport input ssh

Select all Open in new window

Hope this helps.