I have a little 806 router that I have been using at home as a NAT
gateway, IP filter, firewall, and a few other functions. For over a
year, everything was just great. I run an ssh daemon/server (sshd) on
a peecee at home. My home "network" is super simple:

+----------------+ +-----------+ +---------+ +------+
|cable TV network|----|Cable modem|----|Cisco 806|---|peecee|
+----------------+ +-----------+ +---------+ +------+

Recently, I have lost the use of sshd. When I attempt to ssh to the
peecee from the outside world, no joy. The sshd software acknowledges
the attempt, and writes a complaint
"Could not write ident string to 166.84.1.2"
166.84.1.2 is the address that I'm running ssh from.

If I remove the Cisco 806 from the above chain, then sshd works fine.
Perhaps my config spec got messed up somehow?

When I do "show ver" on my Cisco 806, it says
-----------------------------------------------------------------------
Cisco IOS Software, C806 Software (C806-O3SY6-M), Version 12.3(4)T4,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Thu 11-Mar-04 18:57 by eaarmas

ROM: System Bootstrap, Version 12.2(4r)XM3, RELEASE SOFTWARE (fc1)

OwlX uptime is 4 minutes
System returned to ROM by reload at 14:14:08 PDT Sun May 2 2004
System restarted at 14:15:36 PDT Sun May 2 2004
System image file is "flash:c806-o3sy6-mz.123-4.T4.bin"

Cisco C806 (MPC855T) processor (revision 0x501) with 30720K/2048K
bytes of memory.
Processor board ID VMS0640052K (948158724), with hardware revision
0000
CPU rev number 0
2 Ethernet interfaces
128K bytes of NVRAM.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102
-----------------------------------------------------------------------

I have cut out a lot of stuff from my config in order to troubleshoot
the problem. Is there anything obviously wrong with it? In the
following config spec, 192.168.0.3 is the fixed IP address for peecee.
Here is the config spec:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++
version 12.3
no service pad
no cdp run
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption

hostname OwlX
username david
clock timezone PT -8
clock summer-time PDT recurring
logging 192.168.0.3

ip dns server
ip subnet-zero
ip dhcp excluded-address 192.168.0.1 192.168.0.3

ip dhcp pool CLIENT
import all
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1
default-router 192.168.0.1
lease 0 2

ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw rtsp timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15

ip audit notify log



interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 166 in
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
exit

interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
no cdp enable
exit

! Note: ports 22, 1387 are for ssh. Port 9 for WOL. 514 is for rsh (cmd).
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.3 6000 interface Ethernet1 6000
ip nat inside source static tcp 192.168.0.3 22 interface Ethernet1 22
ip nat inside source static tcp 192.168.0.3 1387 interface Ethernet1 1387
ip nat inside source static udp 192.168.0.3 9 interface Ethernet1 9
ip classless
ip http server

access-list 111 permit ip any any log

access-list 23 permit 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any

! Let everything in
access-list 166 permit ip any any log

line con 0
exec-timeout 120 0
stopbits 1
transport preferred none
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport preferred none

scheduler max-task-time 5000

ntp server 216.218.192.202
ntp server 207.126.97.57
ntp server 216.218.254.202
ntp server 204.74.68.55
ntp server 216.27.190.202

end
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++

Thanks for any suggestions!
--
David Arnstein
arnstein+usenet@pobox.com

I have made partial progress troubleshooting this problem. I recently
upgraded my IOS to c806-o3sy6-mz.123-4.T4.bin due to security issues.
If I downgrade my IOS to the previous version that I had, which is
cisco_c806-o3sy6-mz.122-13.ZH.bin, then I can run sshd on my peecee
again. So I think that the new IOS c806-o3sy6-mz.123-4.T4.bin is the
problem.

Is this a known problem? Is there a work-around? Perhaps I have to
change my config file?

Thanks again for any suggestions!
--
David Arnstein
arnstein+usenet@pobox.com

Not sure this is relevant, but, when I loaded up one of the tcp
vulnerability "fixed" images, 12.2(23a), it broke ssh acces, but not all
access from the outside. You might want to inquire at TAC

David Arnstein wrote:

I am curious that it worked without the 'transport input ssh' command on the
vty lines...


"David Arnstein" <arnstein@panix.com> wrote in message
news:c73pjp$5or$1@reader2.panix.com...

In article <409617ef$1@news.comindico.com.au>, l33t@hax0r.not.com
says...
Absent a specific transport cmd, the default is input transport all.

In article <4095F424.8090903@sbcglobal.net>,
Bill F <__billf@lfnetworking.com> wrote:
What does the vty line have to do with my problem? I'm not attempting
to do ssh with the router as an endpoint. The endpoints are
1. peecee (ssh server)
2. a remote Unix system (ssh client)
See diagram in original post.

Please inform me if I am missing something here.

By the way, I don't think the 806 router supports ssh on vty lines.
--
David Arnstein
arnstein+usenet@pobox.com