cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14740
Views
0
Helpful
32
Replies

Basic Router SSH Access

Michael Reyes
Level 1
Level 1

Hello Cisco Experts,

I need to configure a 2921 ISR.  Basic config below.  Nothing elaborate as far as config goes.  Inside traffic routing outside.  GE0/0 - External IP and GE0/1 - Internap IP.  I'm trying to telnet to the GE0/0 interface, but it's not working.  Did I miss something?  This is a brand new router I received this afternoon.  Ultimately I need to enable SSH and restrict access to two remote IP addresses (x.x.x.244 & x.x.x.246)

Any assistance would be greatly appreciated.

Thanks,

Michael

Basic Configuration Below

*************************************************************************************************

Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!        
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01

Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!        
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01
          quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username my_username privilege 15 secret 4 *******
!
redundancy
!
!
!        
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!        
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Removed

-----------------------------------------------------------------------
^C
!        
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!        
scheduler allocate 20000 1000
end

cv_router_2921#

        quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username username privilege 15 secret 4 *******
!
redundancy
!
!
!        
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!        
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Removed

-----------------------------------------------------------------------
^C
!        
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!        
scheduler allocate 20000 1000
end

cv_router_2921#

32 Replies 32

OK.  I'm able to SSH to the router now.  Next step is to contefigure the ACL.  I don't really see how to configure that, but I need to do some more reading.

Added the following for SSH configuration.

conf t
line vty 0 15
transport input ssh
exit

crypto key generate rsa general-keys modulus 1024

Michael

I am glad that you are making good progress in achieving your requirements. It would appear that you have configured your router so that telnet no longer works and SSH is working.

I am not clear from your posting whether your router is using both version 1 and version 2 of SSH (which is the default) or is using only version 2 (which is more secure and I would advocate that you use this).

Restricting access for SSH is quite easy and straightforward.The easy way to restrict remote access is to create a standard access list and to apply it to the vty using the access-class n in command (where n is the number of the standard access list or the name of the standard access list). The config might look something like this

access-list 51 permit host x.x.x.224

access-list 51 permit host  x.x.x.246

line vty 0 15

access-class 51 in

HTH

Rick

HTH

Rick

Rick,

Yes I was able to get SSH working and I disabled telnet.  With regard to SSH v1 or v2, I did not explicitly set v2.  However, when I configure the SSH session, I selected v2 and was able to log in without issue.  Should I go ahead and set it to v2?

Thanks for the ACL config.  I'm out of the office tomorrow, but will try that out on Thursday.  I'll let you know how it goes.

Thanks again.

Michael

Michael

SSH version 2 is more secure than version 1. So I believe that it is a best practice to specify version 2. If you specify version 2 then the router will no longer operate with version 1. If you do not specify and someone connects using version 1 then the router will accept it. Unless you have some reason to want to continue to use version 1 on the router then I would advocate to specifying version 2.

The access list and access-class on the vty are pretty straight forward. Some people want to make the access list into an extended access list so that they can specify SSH. But it works best if you use a standard access list.

HTH

Rick

HTH

Rick

Fine that you got it that far. How to move on:

- allowing only SSHv2 is a best practice that should be enforced. It's the same as with not allowing Telnet.

- the access-class can also use named ACLs. That makes the config more readable.

- if you need to open the SSH-access to the whole Internet, then it could help to change the SSH-Port. That will not make you any more secure, but reduces the amount of log-enties when SSH-bots try many user/pw combinations.

- management-plane protection gives you additional control which protocols are allowed over which interfaces.

- if someone tries to brute-force a login you can add delays after each unsucessfull login and also lock out user-accounts

- and if the router is part of a bigger installation, than AAA with a central TACACS+ or RADIUS-Server is the way to go.

have fun securing your router, Karsten

Sent from Cisco Technical Support iPad App

What is the diefference in creating a user with both a PASSWORD and a SECRET?

As it is configured now, I can SSH to the router, and I am immediately put into User EXEC mode

    test_router_2921(config)#username testsuperuser privilege 15 password testpassword

Does the following recommendation mean when a user log in via an SSH session, they will require a password, then have to enter "enable", enter their SECRET before proceeding?

     username USER privilege 15 secret 0 PASSWORD

     enable secret 0 PASSWORD

That is my understanding.  Please let me know if I am wrong.

Thanks,

Michael

Michael

I am not clear what following recommendation you are talking about. Perhaps you can clarify?

There are many options that can be configured that influence what happens when a user logs in. The most common scenario is that when a user logs in they are placed into user mode and then must use the enable command and some enable password or secret to get to privilege mode. But there are options which can place the user directly into privilege mode. And we do not know at this point what options you have configured. To be able to give good answers we would need to know whether you have configured aaa for the router (and if so what is configured in aaa) and we would need to know whether authorization for exec is configured, and we would need to know whether any of the vty lines configure a privilege level.

HTH

Rick

HTH

Rick

Hello Rick,

This is what was recommended in an earlier thread.

username USER privilege 15 secret 0 PASSWORD

enable secret 0 PASSWORD

This is what I configured.

test_router_2921(config)#username testsuperuser privilege 15 password testpassword

With my configuration, when logged in, the user is placed directly into privileged mode.  Hope this clears it up for you.

I have another configuration that I am trying to understand.  It has to do with icmp.  On the router (Console port), I can ping the configured interfaces IP addresses (Gi0/1-x.x.x.225 & Gi0/2-10.1.1.234).

On Gi0/1 I have a laptop directly connected with a x.x.x.226 IP address, but I am not able to ping it.

On Gi0/2, I am connected to a local LAN (10.1.1.0).  I can ping the LAN default gateway (10.1.1.1) but I am not able to ping my system IP (10.1.1.233).

Would the fact that the router default gateway be down/down at the moment have an affect on where the router is trying to send the icmp packets?

Here's a snipet of when I try to traceroute to the 10.1.1.1 IP address:

cv_router_2921#traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1  *  *  *

  2  *  *  *

  3  *  *  *

  4  *  *  *

  5  *  *  *

  6  *  *  *

This eventually just times out.

I wanted to add that from my system, I can ping through the router to the other system.

[Laptop - 10.1.1.234] can ping [Test Server - 66.238.30.226]

Thanks,

Michael

Message was edited by: Michael Reyes

Michael

Whether a user is placed into user mode or into privilege mode depends in part on how the user and passwords are configured. But it can also depend on some other parts of the router configuration. I know some parts of your config have changed since the original posts but I am assuming that some parts are the same. And in the original config it is set up so that all users are placed directly into privilege mode (regardless of how the user and password are configured). Here is part of the original config

line vty 0 4

privilege level 15

specifying privilege level 15 on the vty results in all users being placed directly into privilege mode. If you want to change the behavior then you need to change this part of the config.

There are many options of how to configure the router for access and they include:

- some routers are configured to use line passwords on vty to authenticate users when they log in. (not so good if you want to use SSH but works fine for telnet). In this case there is no need to configure user names on the router.

- some routers are configured with user names and passwords and do local authentication. This works fine for SSH.  This is the suggestion that you were asking about. It does require configuration of user names and passwords on the router.

- some routers are configured to authenticate using an aaa authentication server such as Cisco ACS. This works fine for SSH. In this case there is no need to configure user names on the router.

Each of these approaches is valid. You need to decide which is the one that fits best into your environment and then to use that one.

For your other question about being able to ping or not able to ping. When  someone has a problem about not being able to ping their laptop my first question is whether there is firewall software running on the laptop that is preventing the ping. So I suggest that you check the laptop, perhaps temporarily disable the firewall software and test again.

HTH

Rick

HTH

Rick

Rick,

Thanks for the explaination.  This is a small comany, single IT resource.  Only configured a single local user on the router, No AAA or ACS in place as there is a very limited number of network infrastructure components.

Regarding the ping issue.  This is how I configured the router in order to test the configuration.

Interface     IP Address                    Connected Device                   

Gi0/1         x.x.x.134 /30                  Laptop-1 (x.x.x.133 /30)

Gi0/1         x,x,x.225/ 27                  Laptop-2 (x.x.x.226 /27)

Laptop-1 simulates the Internet provider device (Router)

Laptop-2 simulates the firewall connection separating public and private networks

  • Both Laptop-1 and Laptop-2 can ping the other Laptop, which traverses through te router
  • I was able to ping the connected router interface from each Laptop
  • The router can ping each of its interfaces (.134 & .225)
  • The router cannot ping Laptop-1 or Laptop-2

Am I missing a configuration setting with ICMP to allow reply's?

Thanks,

Michael

Michael

If each laptop can successfully ping the other laptop then this is good news. It verifies that routing between the networks/subnets is working and it verifies that the laptop firewall software is not blocking ping. So I am quite puzzled why the router can not ping the laptops. There might possibly be an issue in the router config, so perhaps you can post the config for us to check. Also would you post the output of show ip route and the output of show arp from the router?

HTH

Rick

HTH

Rick

Hi Rick,

Sorry for not responding sooner.  My contract with the customer ended Thursday.  The router config was a last minute request since I had available hours still.  I've moved to a different project, but I still want to resolve or understand why this occurs.

Since I no longer have access to the configs, I used Packet Tracer and created the same setup with 2811 ISRs.  I see the same behavior and am curious to know if I'm not understanding how ICMP works correctly.

When logged into the router via console port, I enter the following commands to ping the locally assigned IP's for the two interfaces, I get the expected results:

******************************************************************************************************************************************

CV_DR_2821#ping x.x.92.133

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x,x.92.133, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/21/32 ms

CV_DR_2821#ping x.x.92.133

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.92.133, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/21/32 ms

******************************************************************************************************************************************

Now if I try to ping either of the directly connected devices, ping fails:

******************************************************************************************************************************************

CV_DR_2821#ping x.x.30.134

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.30.134, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

******************************************************************************************************************************************

From a command prompt on one of the laptops, I'm able to ping the other laptop which goes through the router; so as you have determined as well, routing is functioning.

******************************************************************************************************************************************

Packet Tracer PC Command Line 1.0

PC>ipconfig

IP Address......................: x,x.30.226

Subnet Mask.....................: 255.255.255.224

Default Gateway.................: x.x.30.225

PC>ping x.x.92.134

Pinging x.x.92.134 with 32 bytes of data:

Reply from x.x.92.134: bytes=32 time=9ms TTL=255

Reply from x.x.92.134: bytes=32 time=31ms TTL=255

Reply from x.x.92.134: bytes=32 time=3ms TTL=255

Reply from x.x.92.134: bytes=32 time=1ms TTL=255

Ping statistics for x.x.92.134:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 31ms, Average = 11ms

PC>

******************************************************************************************************************************************

However, if I use extended ping, it works.  See output below.

******************************************************************************************************************************************

CV_DR_2821#ping

Protocol [ip]:

Target IP address: x.x.30.226

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.30.226, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms

CV_DR_2821#ping

Protocol [ip]:

Target IP address: x.x.92.133

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.92.133, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/32 ms

******************************************************************************************************************************************

This is odd behavior to me.  But may just be that in order to use ping or traceroute on a externally connected device, I have to use the extended ping/traceroute command.  And "ping x.x.x.x" only works for an IP address that is configured on an internal interface.

Is my understanding correct?  I hope so as I'm stumped at this point.  I haven't read anywhere that this is the expected operational behavior.

Please let me know your thoughts.

Thank You & Best Regards,

Michael

Michael

It certainly is not the case that you need to use extended ping or traceroute to successfully get to an external device. And even though you use the extended form of ping you did not specify any parameter different from standard ping. So I am pretty confident that standard ping would have worked.

There are a couple of inconsistencies in this post that create some uncertainty in understanding the situation. But I only find one example of a ping that did not work and there is a very simple explanation for that one. Here is the one that did not work

CV_DR_2821#ping x.x.30.134

and the explanation is that 30.134 does not exist in the local subnet. 30.226 would have worked or 92.134 would have worked.

If this solves the issue then I am glad. If something still does not work as you expect then please post again including the output of show ip interface brief, and of show route, as well as any ping that does not work.

HTH

Rick

HTH

Rick

Rick,

I'll try to clarify as much as possible w/o disclosing the customer's assigned IP address space.  Hope this clears up confusion.

FA0/0 is the transit network interface between the clients router and the provider's device.  Here is how it was configured (subnet mask 255.255.255.252):

  • x.x.92.132 [Network]
  • x,x,92.133 [Provider IP Address - Router or Switchport unknown]
  • x.x.92.134 [Client IP address - Router FA0/0]
  • x.x.92.135 [Broadcast]

FA0/1 is the interface connected to the Outside interface for the customer's firewall.  Here is how it is configured (subnet mask 255.255.255.224):

  • x.x.30.224 [Network]
  • x,x,30.225 [Client IP address - Router FA0/1]
  • x.x.30.226 [Client IP address - Firewall Outside Interface]


interface FastEthernet0/0

description Transit network

ip address x,x.92.134 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

description Outside network

ip address x.x.30.225 255.255.255.224

duplex auto

speed auto

Michael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: