Cisco 2911 remote configuration access

Hi all,

I look after various clients in various buildings and have numerous VLANs. I need to be able to make changes to the configs on the routers as and when clients needs change. Upgrading or downgrading connection speeds etc.

I have a Cisco 2911's and need to enable off site configuration using telnet/ssh to save numerous site visits. As there is no physical hardware I can connect to internally on the network to run a session to the Cisco, I want to be able to do this from my PC remotely into the Cisco. I have a range of external IP's I can use if needed.

The management ip range is

ip access-list extended Reception
permit ip host
permit icmp host
deny   ip
permit ip any any

Many thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
Create a static NAT (port forwarding) rule on the router or firewall for port 22 (ssh) or port 23 (Telnet) pointed to your public IP to forward to the IP of your 2911
I recommend ssh. Avoid telnet over wan link as much as possible.

For ssh, configure your router or firewall for ssh support - requires crypto and certificate

If your router is not capable, then you can use telnet.
Soulja53 6F 75 6C 6A 61 Commented:
I'm confused by the previous comment.

Author, are you routers sitting inside the clients' lans, or are they WAN routers connected to the internet?

If internet, why not just all SSH to the external interface and create an acl only allowing SSH from your location?
ncomperAuthor Commented:
This is an External WAN router,

please ignore the ACL posted as these are not relevant.

I need to confirm the configuration required to allow Access over SSH to the external interface from a designated IP range (static public addresses)

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ncomperAuthor Commented:
Soulja53 6F 75 6C 6A 61 Commented:
Assuming you already have ssh enabled and assuming you already have an inbound acl applied to the external interface just add a permit that allows your block of ip addresses to the external interface of the router:


ip access-list extended INET
permit tcp x.x.x.x host y.y.y.y eq 22

x being your block of ip's. y being wan ip of router
AkinsdNetwork AdministratorCommented:
This is over a wan link, not a tunnel.
Private IPs are not routable on the Internet

Static NAT is what is needed
He also needs to allow the public address he will be SSHing from

Take note of his comment
(I have a range of external IP I can use.....)

Maybe the author should clarify more. Are the buildings all in the same super network or are they separate (standalone) networks
ncomperAuthor Commented:
Hi all,

Thanks for the replies so far. Yes the buildings are completely seperate standalone networks.  Nothing tieing them together. I have ssh enabled and currently using 4 external ip's that are being used by servers internally and port forwards on those ip's and static NAT to internal ip addresses.

Hope this clarifys it some for you
AkinsdNetwork AdministratorCommented:
Exactly what I thought

Static NAT (a.k.a Port Forwarding) is what you need to configure as I mentioned earlier.

Commands for NAT differs depending on what platform you are using and what IOS version you are using especially for ASA firewalls

Example of the most common NAT configuration
- Web server's local address = or
- Router with SSH enabled =
- DNS server =
- Public IP Address  =

Using the same public address, you can port forward to each device

- ip nat source inside static tcp 80 80
- ip nat source inside static tcp 443 443
- ip nat source inside static tcp 22 22
- ip nat source inside static udp 53 53
- ip nat source inside static tcp 23 53

Web url (http) to will forward the request to
Secure Web url (https) to will forward the request to
ssh to will forward the request to
DNS query  to will forward the request to
telnet to will forward the request to

for new ios on firewall
object network SSH_Obj
nat (inside,outside) static interface service tcp 22 22
access-list SSH_ACL extended permit tcp any host eq ssh

access-group SSH_ACL in interface outside

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ncomperAuthor Commented:
Thanks, ill try that
ncomperAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.