Cisco 2911 remote configuration access

Hi all,

I look after various clients in various buildings and have numerous VLANs. I need to be able to make changes to the configs on the routers as and when clients needs change. Upgrading or downgrading connection speeds etc.

I have a Cisco 2911's and need to enable off site configuration using telnet/ssh to save numerous site visits. As there is no physical hardware I can connect to internally on the network to run a session to the Cisco, I want to be able to do this from my PC remotely into the Cisco. I have a range of external IP's I can use if needed.

The management ip range is

ip access-list extended Reception
permit ip host
permit icmp host
deny   ip
permit ip any any

Many thanks
Who is Participating?
AkinsdConnect With a Mentor Network AdministratorCommented:
Exactly what I thought

Static NAT (a.k.a Port Forwarding) is what you need to configure as I mentioned earlier.

Commands for NAT differs depending on what platform you are using and what IOS version you are using especially for ASA firewalls

Example of the most common NAT configuration
- Web server's local address = or
- Router with SSH enabled =
- DNS server =
- Public IP Address  =

Using the same public address, you can port forward to each device

- ip nat source inside static tcp 80 80
- ip nat source inside static tcp 443 443
- ip nat source inside static tcp 22 22
- ip nat source inside static udp 53 53
- ip nat source inside static tcp 23 53

Web url (http) to will forward the request to
Secure Web url (https) to will forward the request to
ssh to will forward the request to
DNS query  to will forward the request to
telnet to will forward the request to

for new ios on firewall
object network SSH_Obj
nat (inside,outside) static interface service tcp 22 22
access-list SSH_ACL extended permit tcp any host eq ssh

access-group SSH_ACL in interface outside
AkinsdNetwork AdministratorCommented:
Create a static NAT (port forwarding) rule on the router or firewall for port 22 (ssh) or port 23 (Telnet) pointed to your public IP to forward to the IP of your 2911
I recommend ssh. Avoid telnet over wan link as much as possible.

For ssh, configure your router or firewall for ssh support - requires crypto and certificate

If your router is not capable, then you can use telnet.
I'm confused by the previous comment.

Author, are you routers sitting inside the clients' lans, or are they WAN routers connected to the internet?

If internet, why not just all SSH to the external interface and create an acl only allowing SSH from your location?
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

ncomperAuthor Commented:
This is an External WAN router,

please ignore the ACL posted as these are not relevant.

I need to confirm the configuration required to allow Access over SSH to the external interface from a designated IP range (static public addresses)

ncomperAuthor Commented:
Assuming you already have ssh enabled and assuming you already have an inbound acl applied to the external interface just add a permit that allows your block of ip addresses to the external interface of the router:


ip access-list extended INET
permit tcp x.x.x.x host y.y.y.y eq 22

x being your block of ip's. y being wan ip of router
AkinsdNetwork AdministratorCommented:
This is over a wan link, not a tunnel.
Private IPs are not routable on the Internet

Static NAT is what is needed
He also needs to allow the public address he will be SSHing from

Take note of his comment
(I have a range of external IP I can use.....)

Maybe the author should clarify more. Are the buildings all in the same super network or are they separate (standalone) networks
ncomperAuthor Commented:
Hi all,

Thanks for the replies so far. Yes the buildings are completely seperate standalone networks.  Nothing tieing them together. I have ssh enabled and currently using 4 external ip's that are being used by servers internally and port forwards on those ip's and static NAT to internal ip addresses.

Hope this clarifys it some for you
ncomperAuthor Commented:
Thanks, ill try that
ncomperAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.