[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

SSH and access-list problem

I have a 1710 acting as a router and VPN end point. I want to ssh from the outside but this is not working. I can ssh from the inside no problem. Everything points to an access-list issue. Can anyone help? see last line of ac100.
here's a dump of the ac:
-----------------------------------------------------------------------------
access-list 1 permit 192.168.42.0 0.0.0.255
access-list 1 permit 192.168.43.0 0.0.0.255
access-list 100 remark +-----------------------------------------------------+
access-list 100 remark +     INPUT ACCESS-LIST APPLIED ON INT. Eth 0         +
access-list 100 remark + This access-list control internet traffic coming in +
access-list 100 remark +  It also control traffic through the IPSEC tunnel   +
access-list 100 remark +-----------------------------------------------------+
access-list 100 permit udp host 137.122.252.230 host 199.243.179.226 eq isakmp
access-list 100 permit esp host 137.122.252.230 host 199.243.179.226
access-list 100 permit ip 192.168.43.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 100 permit icmp 192.168.43.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 100 permit icmp any 199.243.179.224 0.0.0.7 echo-reply
access-list 100 permit icmp any 199.243.179.224 0.0.0.7 time-exceeded
access-list 100 permit icmp any 199.243.179.224 0.0.0.7 traceroute
access-list 100 permit icmp any 199.243.179.224 0.0.0.7 unreachable
access-list 100 permit tcp any host 199.243.179.228 eq smtp
access-list 100 permit tcp 9.23.185.0 0.0.0.255 host 199.243.179.226 eq telnet
access-list 100 permit tcp any host 199.243.179.226 eq 22
access-list 104 remark +-----------------------------------------------------+
access-list 104 remark +  INPUT ACCESS-LIST APPLIED ON INT. FastEthernet 0   +
access-list 104 remark +-----------------------------------------------------+
access-list 104 permit ip 192.168.42.0 0.0.0.255 any
access-list 104 permit icmp any any
access-list 110 remark +-----------------------------------------------------+
access-list 110 remark +    This access-list is used for the IPSEC tunnel    +
access-list 110 remark +          It tell witch traffic to encrypt           +
access-list 110 remark +                                                     +
access-list 110 remark +-----------------------------------------------------+
access-list 110 permit ip 192.168.42.0 0.0.0.255 192.168.43.0 0.0.0.255
access-list 120 deny   ip 192.168.42.0 0.0.0.255 192.168.43.0 0.0.0.255
access-list 120 deny   ip host 192.168.42.2 192.168.43.0 0.0.0.255
access-list 120 permit ip 192.168.42.0 0.0.0.255 any
access-list 130 deny   ip host 192.168.42.6 192.168.43.0 0.0.0.255
access-list 130 permit ip host 192.168.42.6 any
!
route-map mailserver permit 10
 match ip address 130
!
route-map nonat permit 10
 match ip address 120
-------------------------------------------------------------------------------------------------
0
kdb01
Asked:
kdb01
2 Solutions
 
stressedout2004Commented:
Config looks good. Do you have any access-class configured under line vty?
Can you post your line vty config?

0
 
noctotCommented:
  I know SSH uses both TCP and UDP port 22 but I don't know what it uses UDP for exactly. You might want to try allowing UDP traffic as well.
   On a side note, make sure you are using SSH2 if possible. SSH1 has some really serious security flaws.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now