12-17-2007 11:39 AM - edited 03-09-2019 07:39 PM
I am able to connect to this router via a crypto isakmp tunnel using telnet. However, I am unable to setup SSH on this thing. Can someone please assist me in what I may be missing. I am at a dead end now. I have posted router info and similar input below.
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3), RELEASE SOFT
WARE (fc2)
======================================
ip domain name CISCO$.COM
ip ssh time-out 60
ip ssh port 2222 rotary 1
ip ssh source-interface FastEthernet0/0
ip ssh version 2
======================================
ip access-list extended CISCO
permit tcp x.x.x.x x.x.x.x any eq 2222
deny ip any any log
access-list 101 permit tcp x.x.x.x x.x.x.x any eq telnet
access-list 101 deny tcp any any eq telnet log
==========================================
line vty 0 4
access-class 101 in
exec-timeout 3 0
password xxxxxxxxxx
transport input all
transport output all
line vty 5 15
access-class CISCO in
password xxxxxxxx
transport input telnet ssh
transport output telnet ssh
=====================================
Solved! Go to Solution.
12-17-2007 12:48 PM
that looks good...
what happens when you do a sh ip ssh?
Would there be any firewall or ACLs blocking port 22?
12-17-2007 01:40 PM
The ip ssh port rotary command is only used for
terminal line access and not vty line access. Is everything else working ok now?
12-17-2007 12:29 PM
Were you able to generate a key? If not create a domain-name which is needed to help generate the key
Router(config) ip domain-name Test.lcl
Router(config)#crypto key generate rsa
Lastly you will also need AAA enabled...to enable locally do the following:
Router (config)# aaa new-model
Router (config)# username
Router (config)# ip ssh time-out
Router (config)# ip ssh authentication-retries
12-17-2007 12:47 PM
This is what I have as my aaa config:
aaa new-model
!
!
aaa group server tacacs+ ecuacs
server x.x.x.x
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
12-17-2007 12:48 PM
that looks good...
what happens when you do a sh ip ssh?
Would there be any firewall or ACLs blocking port 22?
12-17-2007 01:20 PM
Well, I removed my ACL and I was able to get in. But only on port 22. I applied the "ip ssh port 2004 rotary 1 1" command, which I thought would make me have to use port 2004.
So I guess my question now is what does the port command do.
I played with my ACL and see that I can only connect using port 22.
12-17-2007 01:40 PM
The ip ssh port rotary command is only used for
terminal line access and not vty line access. Is everything else working ok now?
12-17-2007 02:02 PM
Everything is working great. Thank you so much.
P.S.
Is there a way to use a different port for SSH.
12-17-2007 02:28 PM
try doing this...
Router(config)# line vty 0 15
Router(config-line)# rotary 1
Router(config)#ip ssh port 2222 rotary 1
if you goto the vty lines first it may work bypassing the default tty, but i'm not 100 percent sure.
Also if this router is facing the internet, i would also force the ssh encryption of vty 0 4 as well.
12-17-2007 10:42 PM
what do you mean when you say force the ssh encryption.
12-18-2007 05:34 AM
I just mean by default the rotary command works for tty lines. If you can use the command when you are in the vty line interface it may allow you to change the vty port. If you get a chance, try the commands in the previous post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide