Announcement

Collapse
No announcement yet.

867VAE-K9 can't get SSH to work from outside to inside

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 867VAE-K9 can't get SSH to work from outside to inside

    Hello everyone,

    Recently I bought a Cisco 867VAE-K9 Router for internet and VoIP. Almost everything works, but I can't seem to get SSH working from outside to self. I looked at the ACL's without any luck. Within my own network I can SSH to the device. I tried to copy those rules and use them for outside, but it didn't had any effect. I'm probably missing something. Could someone help me out with my problem?

    I attached the config.
    My WAN IP = 1.1.1.1 (fictional in config)
    Attached Files
    Last edited by bnetworking; 1st July 2014, 15:00. Reason: Title was wrong

  • #2
    Re: 867VAE-K9 can't get SSH to work from outside to inside

    Hi, I don't see a NAT rule, you could try something like this.

    ip nat inside source static tcp ComputersLocalIP 22 interface Dialer0 22

    I know you have a rule in access list 102 all ready. I've always used an entry like below

    access-list 102 permit tcp any any eq ssh log
    Please remember to award reputation points if you have received good advice.
    I do tend to think 'outside the box' so others may not always share the same views.

    MCITP -W7,
    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

    Comment


    • #3
      Re: 867VAE-K9 can't get SSH to work from outside to self

      Thank you for your reply uk_network.

      It seems that I wrote the title wrong. I'm trying to get a SSH connection from outside to self. Self as in Cisco 867VAE-K9 Router. Sorry.
      No NAT needed for this.
      Last edited by bnetworking; 4th July 2014, 11:40. Reason: Courtesy

      Comment


      • #4
        Re: 867VAE-K9 can't get SSH to work from outside to inside

        Still playing with the ACL's without any luck. I'm not seeing something.

        Comment


        • #5
          Re: 867VAE-K9 can't get SSH to work from outside to inside

          Found out that the problem is somewhere within the Zone Based Firewall config. Still searching where. Is there someone that could help me out please?

          Comment


          • #6
            Re: 867VAE-K9 can't get SSH to work from outside to inside

            can you SSH from inside ?

            I'm looking at this (but could be wrong. my ACLs suck.)

            line vty 0 4
            access-class 104 in
            privilege level 15
            login local
            length 0
            transport input telnet ssh


            access-class 104 shows
            access-list 104 remark Auto generated by SDM Management Access feature
            access-list 104 remark CCP_ACL Category=1
            access-list 104 permit ip 192.168.71.0 0.0.0.255 any
            access-list 104 permit ip host 1.1.1.1 any


            so anything on 192.168.71.x is permitted to use SSH
            and host 1.1.1.1 (your public address) is permitted to use SSH

            you might need to add
            "access-list 104 permit host x.y.z.a any"

            - where x.y.z.a is the public IP address of your home network connection

            (does that make sense ?)
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: 867VAE-K9 can't get SSH to work from outside to inside

              Sorry for the late reply. Just came back from holiday.

              Thanks for your reply Tehcamel!

              I can SSH inside the network, but from outside not.

              you might need to add
              "access-list 104 permit host x.y.z.a any"
              That is what I did with the rule
              access-list 104 permit ip host 1.1.1.1 any
              where 1.1.1.1 is my public IP from the remote client that I want to SSH from. This doesn't work though

              Comment


              • #8
                Re: 867VAE-K9 can't get SSH to work from outside to inside

                I tested this on mine and ssh'd into my router using my mobile phone's ssh client. The command I used was:

                access-list 102 permit tcp host 92.45.249.6 any eq 22 log

                Then you can use the terminal monitor command and see if you get a hit.
                Please remember to award reputation points if you have received good advice.
                I do tend to think 'outside the box' so others may not always share the same views.

                MCITP -W7,
                MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                Comment


                • #9
                  Re: 867VAE-K9 can't get SSH to work from outside to inside

                  Hi uk_network,

                  Tried to add your acl, but it didn't work. There were no logs with terminal monitor.

                  Code:
                  access-list 102 remark Auto generated by SDM Management Access feature
                  access-list 102 remark CCP_ACL Category=1
                  access-list 102 permit tcp host 1.1.1.1 any eq 22 log
                  access-list 102 permit ip host 1.1.1.1 any
                  access-list 102 permit tcp 192.168.71.0 0.0.0.255 host 192.168.71.254 eq telnet
                  access-list 102 permit tcp 192.168.71.0 0.0.0.255 host 192.168.71.254 eq 22
                  access-list 102 permit tcp 192.168.71.0 0.0.0.255 host 192.168.71.254 eq www
                  access-list 102 permit tcp 192.168.71.0 0.0.0.255 host 192.168.71.254 eq 443
                  access-list 102 permit tcp 192.168.71.0 0.0.0.255 host 192.168.71.254 eq cmd
                  access-list 102 deny   tcp any host 192.168.71.254 eq telnet
                  access-list 102 deny   tcp any host 192.168.71.254 eq 22
                  access-list 102 deny   tcp any host 192.168.71.254 eq www
                  access-list 102 deny   tcp any host 192.168.71.254 eq 443
                  access-list 102 deny   tcp any host 192.168.71.254 eq cmd
                  access-list 102 deny   udp any host 192.168.71.254 eq snmp
                  access-list 102 permit ip any any
                  I also added a parameter-map to see any dropped packets from my ssh connection, but strangely I didn't saw port 22 dropped.

                  Code:
                  parameter-map type inspect global
                   log dropped-packets enable
                   max-incomplete low 18000
                   max-incomplete high 20000
                   spoofed-acker off

                  Comment


                  • #10
                    Re: 867VAE-K9 can't get SSH to work from outside to inside

                    Hi, 102 was what mine was. Try 104 on yours.
                    Please remember to award reputation points if you have received good advice.
                    I do tend to think 'outside the box' so others may not always share the same views.

                    MCITP -W7,
                    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                    Comment


                    • #11
                      Re: 867VAE-K9 can't get SSH to work from outside to inside

                      I'm getting some results, although it still doesn't work. So now this is my 104 ACL.
                      Code:
                      access-list 104 remark CCP_ACL Category=1
                      access-list 104 permit ip 192.168.71.0 0.0.0.255 any
                      access-list 104 permit tcp host 1.1.1.1 any eq 22 log
                      access-list 104 permit ip host 1.1.1.1 any
                      After I used terminal monitor, the following message came up from the terminal:
                      Code:
                      000881: *Aug 26 08:08:00.764: %SEC-6-IPACCESSLOGP: list 104 permitted tcp 1.1.1.1(27501) -> 0.0.0.0(22), 1 packet
                      Unfortunately the external ssh connection isn't made. Something still blocks it?

                      Comment


                      • #12
                        Hi! Greetings,

                        Last edited by biggles77; 14th May 2015, 13:54. Reason: Spammer idiot

                        Comment


                        • #13
                          Any luck? I'm stuck with the same problem here. Can't access any port using my external address from my LAN.

                          Thanks

                          Comment

                          Working...
                          X