Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
37452
Views
35
Helpful
10
Replies

how change ssh default port on router ?

Go to solution
Dr.X
Level 2
Level 2

‎07-07-2013 02:36 AM - edited ‎03-07-2019 02:16 PM

ive mad :

1- ip domian name sss

2- local username

3-crypto key generate rsa , then i choosed 1024 bits

4- for line vty i put ===>transport input ssh

5- login local

but i want to ask about how to change the port from 22 to another port ???

regards

2 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to InayathUlla Sharieff

‎07-07-2013 06:36 AM

Hello Inayath,

I am afraid this will not work. The ip port-map command is used by the IP Inspect (former CBAC) to define port-to-application mappings. However, it is not going to move your local SSH daemon to a different port.

What worked for me is this:

ip ssh port 2222 rotary 1
!
line vty 0 15
 rotary 1

This configuration assigns VTY lines 0 through 15 into the rotary group 1 for which the SSH can be reached on the port 2222. The SSH will still be listening on port 22 as well so if this is not desired, an ACL will be necessary to prevent logging into the device using the ordinary IP port:

ip access-list extended DenyStdSSH
 deny tcp any any eq 22
 permit ip any any
!
line vty 0 15
 access-class DenyStdSSH in

Best regards,

Peter

View solution in original post

10 Replies 10

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎07-07-2013 04:17 AM

I havent tried this personally but i could found this:

can you issur this command ?

sh ip port-map ssh

if you see port 22 you can change it like this:

ip port-map ssh port xyz

HTH,  please rate if this helps

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to InayathUlla Sharieff

‎07-07-2013 06:36 AM

Hello Inayath,

I am afraid this will not work. The ip port-map command is used by the IP Inspect (former CBAC) to define port-to-application mappings. However, it is not going to move your local SSH daemon to a different port.

What worked for me is this:

ip ssh port 2222 rotary 1
!
line vty 0 15
 rotary 1

This configuration assigns VTY lines 0 through 15 into the rotary group 1 for which the SSH can be reached on the port 2222. The SSH will still be listening on port 22 as well so if this is not desired, an ACL will be necessary to prevent logging into the device using the ordinary IP port:

ip access-list extended DenyStdSSH
 deny tcp any any eq 22
 permit ip any any
!
line vty 0 15
 access-class DenyStdSSH in

Best regards,

Peter

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to jpl861

‎07-07-2013 08:47 AM

Hi John,

Thanks for joining. That blog basically describes the approach I have suggested myself, doesn't it?

Best regards,

Peter

0 Helpful

Go to solution
jpl861
Level 4
Level 4
In response to Peter Paluch

‎07-07-2013 08:50 AM

yeah you did. sorry i missed your response. I only saw the first response on my phone.

0 Helpful

Go to solution
Dr.X
Level 2
Level 2
In response to jpl861

‎07-08-2013 10:55 AM

hi ,

thanks all ,

ive changed ssh port successfully .

thanks alot ,

im i have some sadness cause i have switch 2960g doesnt support rotary ssh commands

i dont know if  the issue from my ios or from the platform

my ios ver :

=======================================================

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

NS-Switch uptime is 22 weeks, 2 days, 14 hours, 14 minutes

System returned to ROM by power-on

System image file is "flash:/c2960-lanbasek9-mz.122-55.SE1.bin"

-===============================================================

regards

0 Helpful

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to Dr.X

‎07-08-2013 01:38 PM

Hi ,

I am also not too sure why your 2960 wouldn't support Rotary SSH commands because it seems to be a compatible IOS version.

The command history suggests it 's been introduced in 12.2(2) T

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1056964

May be LAN Base ? Thats why ?

Regards,
Anup

Regards,
Anup
0 Helpful

Go to solution
Dr.X
Level 2
Level 2
In response to Anup Sasikumar

‎07-08-2013 11:24 PM

you may be correct  , i think lanbase doesnt support ip ssh port xx

0 Helpful

Go to solution
Dr.X
Level 2
Level 2
In response to jpl861

‎05-19-2017 03:27 AM

Guys here is a video i found summarise all the steps .

https://www.youtube.com/watch?v=9Dqcp7zS7zg

good luck 

0 Helpful

Go to solution
CSCO11637773
Level 1
Level 1
In response to Peter Paluch

‎08-30-2017 11:51 PM

Enable SSH first 

 

ip domain-name Cisco.com

crypto key generate rsa

 

(use 1024) bit 

 

 

Use Rotary command first for SSH port 

 

ip ssh port 8888 rotary 1

 

create access list to block standard SSH port and also if you want specific IP to allow add them in list.

 

ip access-list ex SSH_PORT_IP_allow
   10 deny tcp any any eq 22
   20 permit tcp host 10.2.3.7 any eq 8888
   30 permit tcp host 10.2.3.9 any eq 8888
   40 permit tcp host 10.2.3.9 any eq 8888
   50 deny tcp any any eq 8888


then apply on VTY lines 

 

Line VTY 0 15 

access-class SSH_PORT_IP_allow in
rotary 1

transport input ssh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card