We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Cisco ISR 871 SSH access denied WAN interface

Medium Priority
1,431 Views
Last Modified: 2012-05-11
Hello All,
I am having trouble setting up SSH access the WAN interface on a Cisco ISR 871. I can log in from the inside interface but not outside. Config to follow:
Current configuration : 2636 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5 
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.0 192.168.10.99
!
ip dhcp pool lan
   network 192.168.10.0 255.255.255.0
   domain-name local.local
   dns-server 192.168.1.50 208.67.222.222 208.67.220.220
   default-router 192.168.10.1
   lease 7
!
!
ip domain name domain.com
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
!
multilink bundle-name authenticated
!
!
username user privilege 15 secret 5
!
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
crypto isakmp key key address PEERIP
!
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
!
crypto map VPN-TUNNEL 1 ipsec-isakmp
 set peer PEERIP
 set transform-set AES-SHA
 match address ACL-VPN
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description Internet
 ip address WANIP 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map VPN-TUNNEL
!
interface Vlan1
 description Internal LAN
 ip address 192.168.10.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
interface Vlan2
 description DMZ
 ip address 192.168.20.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.15.182.10
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet4 overload
!
ip access-list extended ACL-NAT
 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
ip access-list extended ACL-VPN
 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
no cdp run
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input ssh
!
scheduler max-task-time 5000
end

Open in new window

Comment
Watch Question

Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Try the following:

access-list 100 permit tcp any host WANIP eq 22
access-list 100 deny   ip any any log

interface FastEthernet4
 ip access-group 100 in


And see if that helps.
CERTIFIED EXPERT
Top Expert 2014

Commented:
Try the line...

ip nat inside source static tcp 192.168.10.1 22 interface Fa4 22

Author

Commented:
erniebeek:
All that did was lock me out of the router. I have to call them tomorrow to power cycle it.
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
?
I'll have another look later on.

For now, next time before making any changes first issue a reload in xx This will cause the router to reload in xx minutes. That way, if you get locked out, you just have to wait xx minutes. Oh, reload cancel will cancel the pending reload.
Senior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.