cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2260
Views
10
Helpful
18
Replies

Missing connectivity after replacing router

Veridizer
Level 1
Level 1

Hi guys,

Due to flash inconsistency/errors after a power surge issue, my router C800 started acting very strange. Having spent several weeks trying to bring life back into it through formats and the whole lot, I decided to replace it completely. I managed to find the same exact model and proceeded to copy a known good config from the old router (pre-power surge) to the new replacement one.

 

Almost everything works as it should except for SSH access and NAT rules put in place to allow me to access a VPN server behind the firewall. When comparing the configs side by side, I noticed that the certificate details are missing on the new replacement router. Could this be the reason why I am unable to SSH into the replacement router or access my VPN server behind it?

1 Accepted Solution

Accepted Solutions

Hello,

 

sorry about that, that command is apparently only available on the higher end ISR routers.

 

Since you have already spent loads of time on this, I would do the following. Get console access to the router, wr erase the entire configuration, and start completely from scratch. Manually enter just the most basic configuration. I have stripped your config of anything that is not needed. After you entered everything, check if the NAT works...

 

RTR00#sh run


Building configuration...


Current configuration : 8325 bytes
!
! Last configuration change at 05:12:25 CET Wed Dec 29 2021 by yourmom
!
version 15.8
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname RTR00
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.158-3.M7.bin
boot-end-marker
!
logging buffered 32000
logging console critical
enable secret 5 topsecret
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.100.1 192.168.100.10
!
ip dhcp pool CLIENT
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
!
no ip bootp server
ip domain name home.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license feature MEM-8XX-512U1GB
license udi pid C897VAM-W-E-K9 sn SERIAL#
license accept end user agreement
!
no spanning-tree vlan 2
no spanning-tree vlan 3
no spanning-tree vlan 4
vtp mode transparent
username odin privilege 15 secret 5 SECRET
!
redundancy
!
controller VDSL 0
!
vlan 2-4
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description SWITCH
switchport mode trunk
no ip address
!
interface GigabitEthernet1
description DMZ
switchport access vlan 2
switchport mode access
no ip address
!
interface GigabitEthernet2
description SECURE
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet3
description CLIENTS
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 4
switchport mode access
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
arp timeout 300
!
interface Wlan-GigabitEthernet8
switchport access vlan 4
switchport mode access
no ip address
!
interface wlan-ap0
ip address 192.168.2.1 255.255.255.252
!
interface Vlan1
no ip address
!
interface Vlan2
description DMZ
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description SECURE
ip address 192.168.36.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description CLIENTS
ip address 192.168.100.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http access-class 99
ip http secure-server
!
ip nat translation timeout 300
ip nat inside source static tcp 192.168.1.10 443 interface GigabitEthernet8 443
ip nat inside source list NAT interface GigabitEthernet8 overload
ip nat inside source static udp 192.168.1.10 51820 interface GigabitEthernet8 51820
ip nat inside source static tcp 192.168.100.14 32400 interface GigabitEthernet8 32400
ip ssh version 2
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.36.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
!
ipv6 ioam timestamp
!
snmp-server community superlongcommunity RO
snmp-server ifindex persist
snmp-server trap link ietf
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
transport input ssh
line vty 5 189
transport input ssh
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
ntp server devicehelper.cisco.com
!
pnp profile pnp_cco_profile
transport https ipv4 18.205.167.7 port 443
end





 

View solution in original post

18 Replies 18

Hello

It is possible, Make sure you using the correct ssh version number and try recreating the ssh key again 


conf t
crypto key zeroize
crypto key generate rsa label xxx general-keys modulus xxx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks! This solved the SSH access.

 

RTR00#conf t

Enter configuration commands, one per line. End with CNTL/Z.

RTR00(config)#crypto key zeroize


% No Signature Keys found in configuration.

RTR00(config)#crypto key generate rsa


The name for the keys will be: RTR00.home.local
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

RTR00(config)#end
RTR00#
RTR00#sh ip ssh

SSH Enabled - version 2.0

 

Hello,

 

can you post the running configuration of the new router ?

I believe that @paul driver is on the right track in looking at the RSA key as the issue. In fact I wonder if the new router has an RSA key? The output of 

show ip ssh

would be helpful. 

I am not sure what the issue might be about the vpn server. More information about this would be helpful. Is this a Remote Access vpn or a site to site vpn? Config details would be helpful.

HTH

Rick

It is missing.

 

RTR00#sh ip ssh


SSH Disabled - version 2.0

%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE
RTR00#

This is after enabling SSH and confirming SSH access.

 

RTR00#sh run


Building configuration...


Current configuration : 8325 bytes
!
! Last configuration change at 05:12:25 CET Wed Dec 29 2021 by yourmom
!
version 15.8
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname RTR00
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.158-3.M7.bin
boot-end-marker
!
!
logging buffered 32000
logging console critical
enable secret 5 topsecret
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint my-RTR00-ca
enrollment selfsigned
subject-name O=home,CN=home.local
subject-alt-name home.local
revocation-check crl
rsakeypair RTR00-rsa
!
!
crypto pki certificate chain my-RTR00-ca
certificate self-signed 01
quit
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.100.1 192.168.100.10
!
ip dhcp pool CLIENT
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
!
!
!
no ip bootp server
ip domain name home.local
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license feature MEM-8XX-512U1GB
license udi pid C897VAM-W-E-K9 sn SERIAL#
license accept end user agreement
!
!
!
no spanning-tree vlan 2
no spanning-tree vlan 3
no spanning-tree vlan 4
vtp mode transparent
username odin privilege 15 secret 5 SECRET
!
redundancy
!
!
!
!
!
controller VDSL 0
!
vlan 2-4
!
!
class-map type port-filter match-any TCP23
match port tcp 23
!
policy-map type port-filter FILTERTCP23
class TCP23
drop
log
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description SWITCH
switchport trunk allowed vlan 1-4,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet1
description DMZ
switchport access vlan 2
switchport mode access
no ip address
!
interface GigabitEthernet2
description SECURE
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet3
description CLIENTS
switchport access vlan 4
switchport mode access
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 4
switchport mode access
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN
ip address dhcp
ip access-group WAN-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
arp timeout 300
!
interface Wlan-GigabitEthernet8
switchport access vlan 4
switchport mode access
no ip address
!
interface wlan-ap0
ip address 192.168.2.1 255.255.255.252
!
interface Vlan1
no ip address
!
interface Vlan2
description DMZ
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description SECURE
ip address 192.168.36.1 255.255.255.0
ip access-group SECURE-IN in
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description CLIENTS
ip address 192.168.100.1 255.255.255.0
ip access-group CLIENT-IN in
ip nat inside
no ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http access-class 99
ip http secure-server
!
!
ip nat translation timeout 300
ip nat inside source static tcp 192.168.1.10 443 interface GigabitEthernet8 443
ip nat inside source list NAT interface GigabitEthernet8 overload
ip nat inside source static udp 192.168.1.10 51820 interface GigabitEthernet8 51820
ip nat inside source static tcp 192.168.100.14 32400 interface GigabitEthernet8 32400
ip ssh version 2
!
ip access-list standard VTY
permit 192.168.1.10
permit 192.168.36.0 0.0.0.255
ip access-list standard VTY-NEW
permit 192.168.1.10
permit 192.168.36.0 0.0.0.255
deny any log
!
ip access-list extended CLIENT-IN
permit icmp any host 192.168.100.1 echo
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.36.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended SECURE-IN
permit tcp any host 192.168.36.1 eq 22
permit tcp any host 192.168.36.1 eq 443
permit icmp any any
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended VTY-SNMP
permit ip 192.168.36.0 0.0.0.255 any
permit ip host 192.168.1.10 any
deny ip any any
ip access-list extended WAN-IN
deny udp any any eq snmp log
deny udp any any eq ntp
deny tcp any any eq telnet
permit ip any any
!
ipv6 ioam timestamp
!
snmp-server community superlongcommunity RO VTY-SNMP
snmp-server ifindex persist
snmp-server trap link ietf
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 20 permit 10.10.1.0 0.0.0.255
access-list 99 permit 192.168.36.0 0.0.0.255
access-list 99 permit 192.168.100.0 0.0.0.255
access-list 100 remark NTP-LOCK
!
!
control-plane host
service-policy type port-filter input FILTERTCP23
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
access-class 20 in
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class VTY in
transport input ssh
line vty 5 189
access-class VTY in
transport input ssh
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
ntp server devicehelper.cisco.com
!
!
!
!
!
!
!
!
pnp profile pnp_cco_profile
transport https ipv4 18.205.167.7 port 443
end

RTR00#

Hello,

 

the first thing I noticed looking at your config is that there is no routing at all, so in theory, nothing should work.

 

Can you add:

 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp

 

to your configuration ?

Thanks for the update. Glad to know that the problem with SSH is solved. Still not clear about the issue with VPN server. I do not see any site to site VPN config so assume that this must be a Remote Access VPN. Can you tell us more about this VPN server?

HTH

Rick

I may have misphrased this, the VPN server is in DMZ on 192.168.1.10.
HTH

Thanks for the additional information. I do see static translations using the server IP for tcp 443, 32400, and udp 51820. Are those the ports that the vpn server uses?

How are you accessing the vpn server? By IP address? By name? Can you traceroute (or tracert) or ping to that from your client?

HTH

Rick

I added the route but no change. I am able to tracert to the addrrss but there's no reply on the ports. Two of them are for VPN and the 32400 on clients network is for a media server.

 

Comparing the configs for the nth time, I noticed the thumbprint at crypto pki certificate chain is missing. If this is the culprit then I would need to recreate it, but what should I do with what is already there? Is there a way to "clean" the certificate details before recreating a cert?

Hello,

 

what is the output of:

 

show ip nat portblock dynamic global detail

"RTR00#show ip nat" portblock dynamic global detail
^
% Invalid input detected at '^' marker.

RTR00#show ip nat
RTR00#show ip nat ?


nvi NVI information
redundancy NAT HA redundancy
statistics Translation statistics
translations Translation entries

RTR00#show ip nat

 

Hello,

 

sorry about that, that command is apparently only available on the higher end ISR routers.

 

Since you have already spent loads of time on this, I would do the following. Get console access to the router, wr erase the entire configuration, and start completely from scratch. Manually enter just the most basic configuration. I have stripped your config of anything that is not needed. After you entered everything, check if the NAT works...

 

RTR00#sh run


Building configuration...


Current configuration : 8325 bytes
!
! Last configuration change at 05:12:25 CET Wed Dec 29 2021 by yourmom
!
version 15.8
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname RTR00
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.158-3.M7.bin
boot-end-marker
!
logging buffered 32000
logging console critical
enable secret 5 topsecret
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.100.1 192.168.100.10
!
ip dhcp pool CLIENT
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
!
no ip bootp server
ip domain name home.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license feature MEM-8XX-512U1GB
license udi pid C897VAM-W-E-K9 sn SERIAL#
license accept end user agreement
!
no spanning-tree vlan 2
no spanning-tree vlan 3
no spanning-tree vlan 4
vtp mode transparent
username odin privilege 15 secret 5 SECRET
!
redundancy
!
controller VDSL 0
!
vlan 2-4
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description SWITCH
switchport mode trunk
no ip address
!
interface GigabitEthernet1
description DMZ
switchport access vlan 2
switchport mode access
no ip address
!
interface GigabitEthernet2
description SECURE
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet3
description CLIENTS
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 4
switchport mode access
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
arp timeout 300
!
interface Wlan-GigabitEthernet8
switchport access vlan 4
switchport mode access
no ip address
!
interface wlan-ap0
ip address 192.168.2.1 255.255.255.252
!
interface Vlan1
no ip address
!
interface Vlan2
description DMZ
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description SECURE
ip address 192.168.36.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description CLIENTS
ip address 192.168.100.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http access-class 99
ip http secure-server
!
ip nat translation timeout 300
ip nat inside source static tcp 192.168.1.10 443 interface GigabitEthernet8 443
ip nat inside source list NAT interface GigabitEthernet8 overload
ip nat inside source static udp 192.168.1.10 51820 interface GigabitEthernet8 51820
ip nat inside source static tcp 192.168.100.14 32400 interface GigabitEthernet8 32400
ip ssh version 2
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.36.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
!
ipv6 ioam timestamp
!
snmp-server community superlongcommunity RO
snmp-server ifindex persist
snmp-server trap link ietf
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
transport input ssh
line vty 5 189
transport input ssh
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
ntp server devicehelper.cisco.com
!
pnp profile pnp_cco_profile
transport https ipv4 18.205.167.7 port 443
end





 

Review Cisco Networking for a $25 gift card