06-18-2012 04:10 PM - edited 03-07-2019 07:19 AM
Hello Cisco Experts,
I need to configure a 2921 ISR. Basic config below. Nothing elaborate as far as config goes. Inside traffic routing outside. GE0/0 - External IP and GE0/1 - Internap IP. I'm trying to telnet to the GE0/0 interface, but it's not working. Did I miss something? This is a brand new router I received this afternoon. Ultimately I need to enable SSH and restrict access to two remote IP addresses (x.x.x.244 & x.x.x.246)
Any assistance would be greatly appreciated.
Thanks,
Michael
Basic Configuration Below
*************************************************************************************************
Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01
Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01
quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username my_username privilege 15 secret 4 *******
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Removed
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
cv_router_2921#
quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username username privilege 15 secret 4 *******
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Removed
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
cv_router_2921#
Solved! Go to Solution.
06-25-2012 04:31 PM
Michael
Thanks for the additional explanation. That does help.
Am I correct that the ping problem was just a transposition of octets in the address? Or is there still some problem with pinging?
HTH
Rick
06-18-2012 04:39 PM
Michael,
You'll need to remove the default acl on the line:
line vty 0 4
no access-class 23 in
That'll get you into the router with telnet.
HTH,
John
06-18-2012 05:44 PM
Hello John,
Thank you for the post. I've left for the day and will try that in the am. Also as mentioned, ultimately, I want to remove telnet and enable ssh with an ACL to the outside interface of the router. I'm going to review that this evening at home so that I can try out my config when I get into the office in the morning.
I'll let you know how it goes tomorrow,
Michael
06-18-2012 05:37 PM
Hi,
additionally to removing the acess-class, you should always configure all vty-lines:
line vty 0 15
xxxx
That way you'l have the same config on all lines and not what is in your config where some lines are enabled for SSH, but some are not. Probably that's not intended?
Regards, Karsten
Sent from Cisco Technical Support iPad App
06-18-2012 05:46 PM
Hello Karsten,
I found it odd that it showed up that way as I entered the command as you included in your post. Any idea why that would be?
Michael
06-19-2012 01:24 AM
Enable *only* SSH on all VTY lines:
conf t
line vty 0 15
transport input ssh
exit
crypto key generate rsa general-keys modulus 1024
The last command is needed to generate a crypto key, which is used in each SSH session.
I'd also recommend setting a new username and enable secret:
username USER privilege 15 secret 0 PASSWORD
enable secret 0 PASSWORD
06-19-2012 01:43 AM
HI Try this:
Config t
line con 0
login local
line aux 0
line vty 0 4
login local
transport input telnet ssh
transport output all
!
scheduler allocate 20000 1000
Regards
please rate if it helps.
06-19-2012 07:33 AM
After reviewing posts, I've made recommended changes. Removing the ACL did no allow me to telnet to the router. 'm taking this one step at a time and will start with telnet access. Once that's resolved, I'll move on to ssh access, and then finally on to ACLs.
Below is the snipet from the config around the VTY usage. Any insight into the "line 2" part of the config? The telnet config is very basic and I've configured telnet on other devices in the past. Not sure why I'm having difficulty now.
This is how I've set up the devices:
[My Laptop - RJ-45] -- Cross-Over Cable --> [Router E0/0]
xx.xx.xx.133 255.255.255.252 xx.xx.xx.134 255.255.255.252
[My Laptop - Serial] -- Serial Cable --> [Router Console Port]
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 7 1313030B341E0B3F3F213A616C7042
login local
transport input telnet
transport output all
line vty 5 15
privilege level 15
password 7 06101B38735C060C1112005955567B
login local
transport input telnet
transport output all
!
scheduler allocate 20000 1000
end
06-19-2012 07:46 AM
the "line 2" config is typically used for modules in the router, so that is probably not relevant for this problem.
The "line vty" looks ok. Do you have any interface-ACLs at the moment?
Do you have basic connectivity? I.E. you can ping your router or if not do you see the other device in the ARP-Cache?
And: How far do you get with your test? Telnet-Access can go wrong in multiple ways.
06-19-2012 07:58 AM
Up until about 5 minutes ago I had console access. I enter username/password that I created and I am receiving invalid login.
Username: Root
Password:
% Login invalid
Any ideas? If needed, I'll need to reset to default.
Regarding your other questions:
Michael
06-19-2012 08:43 AM
and you configured a username "Root" with a corresponding password or secret?
06-19-2012 08:54 AM
I configured the following:
username root privilege 15 secret 0 *********
enable secret 0 ********
I just added another discussion regarding my issues with the password recovery procedure. I need to get that resolved before proceeding with these steps.
06-19-2012 01:02 PM
Hello Karsten,
I'm back working my telnet/ssh/acl issue. From my laptop, I am able to ping the interface of the router. I removed the default ACL
access-list 23 permit 10.10.10.0 0.0.0.7
no access-list 23 permit 10.10.10.0 0.0.0.7
06-19-2012 01:08 PM
Michael
Removing the access list 23 is a good thing. But more important is to make sure that the vty lines no longer have the access-class configured, since that is what actually controls remote access.
Is this still the accurate listing of the config for the vty lines
line vty 0 4
privilege level 15
password 7 1313030B341E0B3F3F213A616C7042
login local
transport input telnet
transport output all
If this is the configuration then I would expect that telnet to the router address from a connected device should prompt for a user name and password and should authenticate using the user name and password that you have configured on the router. Is that what is happening?
HTH
Rick
06-19-2012 02:11 PM
Hello Rick,
That is correct. I found my IP had an incorrect network octet. I do get prompted for username/password now.
Is there a way to configure a network object to control access. Here is what I'm trying to figure out.
Create an object called Allowed_SSH_IP
Add x.x.x.224 and x.x.x.246
Configure SSH on the outside interface to only allow IP addresses in this object.
Does that make sense?
Michael
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: