?
Solved

Cisco ISR 871 SSH access denied WAN interface

Posted on 2011-04-18
5
Medium Priority
?
1,317 Views
Last Modified: 2012-05-11
Hello All,
I am having trouble setting up SSH access the WAN interface on a Cisco ISR 871. I can log in from the inside interface but not outside. Config to follow:
Current configuration : 2636 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5 
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.0 192.168.10.99
!
ip dhcp pool lan
   network 192.168.10.0 255.255.255.0
   domain-name local.local
   dns-server 192.168.1.50 208.67.222.222 208.67.220.220
   default-router 192.168.10.1
   lease 7
!
!
ip domain name domain.com
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
!
multilink bundle-name authenticated
!
!
username user privilege 15 secret 5
!
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
crypto isakmp key key address PEERIP
!
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
!
crypto map VPN-TUNNEL 1 ipsec-isakmp
 set peer PEERIP
 set transform-set AES-SHA
 match address ACL-VPN
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description Internet
 ip address WANIP 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map VPN-TUNNEL
!
interface Vlan1
 description Internal LAN
 ip address 192.168.10.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
interface Vlan2
 description DMZ
 ip address 192.168.20.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.15.182.10
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet4 overload
!
ip access-list extended ACL-NAT
 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
ip access-list extended ACL-VPN
 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
no cdp run
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:Intergrate
  • 3
5 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35423818
Try the following:

access-list 100 permit tcp any host WANIP eq 22
access-list 100 deny   ip any any log

interface FastEthernet4
 ip access-group 100 in


And see if that helps.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35423839
Try the line...

ip nat inside source static tcp 192.168.10.1 22 interface Fa4 22
0
 

Author Comment

by:Intergrate
ID: 35429852
erniebeek:
All that did was lock me out of the router. I have to call them tomorrow to power cycle it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35430882
?
I'll have another look later on.

For now, next time before making any changes first issue a reload in xx This will cause the router to reload in xx minutes. That way, if you get locked out, you just have to wait xx minutes. Oh, reload cancel will cancel the pending reload.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35431260
First my most humble apologies, I was working on another router over here and got two lines mixed up. Mea culpa.

If you are still willing to accept a comment from my side, I would like to suggest the following:

Try and change:
ip access-list extended ACL-NAT
 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any


To:
ip access-list extended ACL-NAT
 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.10.0 0.0.0.255 any


By the looks of it your DMZ doesn't get out to the internet (yet)? If it eventually does you'll have to add a permit line for that network as well.

And to be sure, first issue a reload in xx as mentioned before :-~
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question