Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ssh port forwarding with cisco 1721

Status
Not open for further replies.

spillo3000

IS-IT--Management
Jul 25, 2005
33
IT
HI,
i put on my house router (my public ip is dynamic) the following configuration to permit an ssh port forwarding towards my linux server with openssh and ddclient.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime msec localtime
service password-encryption
!
hostname HEAD
!
boot system flash c1700-advsecurityk9-mz.124-3g.bin
logging buffered 1000000 debugging
no logging console
aaa new-model
!
!
aaa authentication login default local
aaa session-id common

!

clock timezone UTC 1
clock summer-time UTC date Mar 25 2007 0:00 Oct 28 2007 0:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!

!
no ip domain-lookup
ip domain-name pippo.dyndns.org
ip name-server 212.216.172.62
ip name-server 212.216.172.162
ip name-server 151.99.125.1
ip name-server 151.99.0.100
ip dhcp excluded-address 192.168.1.1 192.168.1.5
!
ip dhcp pool client-lan
network 192.168.1.0 255.255.255.0
domain-name pippo.dydndns.com
default-router 192.168.1.1
dns-server 151.99.125.1 151.99.0.100 212.216.172.62 212.216.172.162
lease 2
!
ip audit notify log
ip audit po max-events 100
ip cef
vpdn enable
!
!

interface ATM0
description internet
bandwidth 2048
no ip address
atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
fair-queue
!
interface FastEthernet0
bandwidth 102400
ip address 192.168.1.1 255.255.255.0
ip access-group in
ip access-group local-> no ip redirects
ip nat inside
speed 100
full-duplex
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group in
ip access-group local-> ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp header-compression passive
dialer pool 1
no cdp enable
ppp chap hostname xxxxx
ppp chap password 7 xxx
ppp pap sent-username xxxxx
!
ip local policy route-map MK-AutoGen
ip nat translation timeout 30
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.6 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.6 22 interface Dialer1 22
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 99
ip pim bidir-enable
!
!

ip access-list extended local->www
permit tcp any any log
permit udp any any log
ip access-list extended permit tcp any any log
permit udp any any log
!
with this configuration ssh from outside doesn't work.

mY public ip is dinamic and if i put

ip nat inside source 192.168.1.7 a.b.c.d

all function properly, but when the lease change i must reconfigure all.

please help me.
 
Hello
This is normal because the old NAT translation remains.Try clearing the old NAT translation every time the lease change or lower the time-outs.

Regards
 
ok
clear ip nat translation forced,

but how can i configure that device,i do not wont reconfigure this:

ip nat inside source static 192.168.1.6 e.f.g.h (isp ip)

when the lease change .

help me .
 
Hello
The command clear's the internal NAT translation table.It doesn't remove the actual NAT statement.
They maybe some other work around,will try to find out something for you.
Regards
 
no ip nat ecc ecc , but how can i configure the router.
please help me.
 
well your dialer is missing

ip tcp adjust-mss 1452

when you get your new ip type (in priv exec mode)...
clear ip nat trans *

and then try to ssh in and see if it works..
but the nat entries should flush when you get your new ip anyways because the dialer interface should go down for a brief moment.

do you have anything funky on your linux server? IPTABLES? other firewalling?


also whats with the acls on the lan and wan interface?
permit any log? what is that accomplishing for you?

 
ip tcp adjust-mss 1452 was used when i can't connect in different , but i can't access my ssh server from outside... i don't have a firewall in my ssh server i use only acl . please help me
 
i apply 2 acl opened in tcp and udp in/out on the dialer and fastethernet interface.
 
Don't crosspost---I answered your question in your other post. Now either continue your questions in that post, or not at all. Now to answer in THIS post since this is the one where your config is...this acl is probably screwing you up...


ip access-list extended local->www
permit tcp any any log
permit udp any any log
ip access-list extended permit tcp any any log
permit udp any any log

So remove it from the dialer interface
router>en
router#conf t
router(config)#int di1
router(config-if)#no ip access-group in
router(config-if)#no ip access-group local->router(config-if)#end
router#wr
See what that does. The acl allows only logging applications in tcp/udp access, and denies everything else.

Burt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top