I'm trying to turn off SSH version 1 & 2 to pass PCI compliance. Problem is, I cannot touch the VPN link between the two offices. I'm afraid the PKI certificate used for the VPN will be deleted if i zeroize the RSA key which seems to be the only way to stop the router responding on port 22.
Here is the stuff from the running config related to the crypto map:
crypto isakmp policy 1
crypto isakmp policy 2
crypto isakmp xauth timeout 15
crypto pki trustpoint TP-self-signed-4087584599
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 28800
set transform-set ESP-3DES-SHA
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
I'm only CCNA so I'm not even sure if the certificate or RSA key is being used for the VPN link, but I can't tell from the running config that zeroizing it would be a good idea and not break the VPN.
I'm open to other ways of disabling SSH, as we are able to just connect using a console cable. But it looks like denying port 22 with an access-list doesn't even stop the router from responding to the port...
When you say that you want to eliminate SSH on the router does that mean that you want to have no remote access to the router? The suggestion of transport input none will result in no remote access. If that is what you want then it is a good suggestion. If you want some remote access, then what kind of remote access do you want to allow? When we know that we can give you better advice about what to do.
% Key pair was generated at: 22:51:11 UTC Jul 13 2010
Key name: TP-self-signed-4087584599
Usage: General Purpose Key
Key is not exportable.
% Key pair was generated at: 17:32:34 UTC Aug 23 2012
Key name: TP-self-signed-4087584599.server
Usage: Encryption Key
Key is not exportable.
Here is the output of the command "show crypto key mypubkey rsa".
I already have transport set to none, the port is still open however, even though trying to connect will give you a timeout.
We use teamviewer to remote into server, then use COM1 to get to the router, which is not ideal if you accadentally bring it down the internet, but I'm very wary about doing anything that might do that, or touch the VPN connection. Hence the reservation about zeroizing the RSA key and deleting those Certs.
output of "crypto key zeroize rsa":
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
thanks for the show output and informing that you've turned off SSH successfully.
it is safe to say you can 'zeroize' your RSA keys. i will, however, correct myself on my initial comment on RSA keys with regards to VPN.
we could generate an RSA special-usage key which is used for IKE policies that have RSA authentication method:
please rate useful posts and mark the thread as resolved. thanks!