01-04-2017 12:25 AM
Hello
i have cisco 860 router. I did configured dhcp on vlan that located on LAN network. also configured IP address on WAN network(gi0).
for example i have a Lan IP 10.10.x.x. and 132.50.x.x on Gi0. when i am trying to reach router from my PC that on Lan network (my pc got IP 10.10.x.x) using telnet or http it's working. but when i am trying to reach the router using telnet or ssh or http from the PC located on WAN(132.50.x.x) network it's not working(except the ping). what should i do to make it work?
sincerely yours.
Solved! Go to Solution.
01-04-2017 02:41 AM
Hi have you enabled ssh on the router , tenet will work by default but ssh needs to be configured
You also need to make sure that the acl in the vty port which servers remote access connections is allowing connections from your wan router
I would disable telnet its not secure an only use ssh once you get it working
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
generate your keys to for the crypto
crypto key generate rsa....Then hit return and type 1024 so you generate v2 keys , anything lower will be unsecure
line vty 0 4
exec-timeout 30 0
transport input ssh
access-class 187 in
01-05-2017 06:08 AM
that's a software issue not a configuration issue , these guis they provide on routers and switches are buggy , if you https and it reaches the router then the protocol itself has worked
when your using putty , can you ssh to the public ip address 132.66.210.72
never mind SCP for the minute , check if ssh is working first as scp will only work if ssh is working
check on the router as well ---show ip ssh
it will return something like this but show it enabled
xxxxxx#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): xfr-b100vpn01.xilinx.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDlJcelsWpYmkzFYWnzNkbf09fDJE3BU9U1SfAp7OPR
ZvEQlTRj3yxivrC7+L12QzM0B1Y00T0QYJf+Qa+N2EIj8cCrk000tTEmONkf1KvlH9gzQrm7XlcbRc0W
ZhBWwNqVCG57QYLJjbmlmEb66PtxTwQxDvDDAASFaGd7OvBwyw==
01-04-2017 02:41 AM
Hi have you enabled ssh on the router , tenet will work by default but ssh needs to be configured
You also need to make sure that the acl in the vty port which servers remote access connections is allowing connections from your wan router
I would disable telnet its not secure an only use ssh once you get it working
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
generate your keys to for the crypto
crypto key generate rsa....Then hit return and type 1024 so you generate v2 keys , anything lower will be unsecure
line vty 0 4
exec-timeout 30 0
transport input ssh
access-class 187 in
01-04-2017 11:04 PM
it works. what about scp and https ? which commands should i need to type?
01-05-2017 12:26 AM
For scp it runs over ssh so you just need to enable it .....ip scp server enable
then have windows scp on your pc or whatever you use
example using scp
RA#copy scp://172.21.7.135/isr4300-universalk9.03.16.03.S.155-3.S3-ext.SPA.bin bootflash:
Address or name of remote host [172.21.7.135]?
Source username [mmalone]?
Source filename [isr4300-universalk9.03.16.03.S.155-3.S3-ext.SPA.bin]?
Destination filename [isr4300-universalk9.03.16.03.S.155-3.S3-ext.SPA.bin]?
Password:
Sending file modes: C0664 476783328 isr4300-universalk9.03.16.03.S.155-3.S3-ext.SPA.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
HTTP
ip http secure-server
show ip http server status
01-05-2017 01:04 AM
Did it, its not working not from the https nor the scp.
01-05-2017 01:12 AM
heres an official doc with example you can try that , its same for switches and routers
youl need to explain what your doing with SCP as once its enabled its about how you set the path
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01010.html#task_1226710
Beginning in privileged EXEC mode, follow these steps to configure a secure HTTP server:
If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server. After you have configured the server, you can configure options (path, access list to apply, maximum number of connections, or timeout policy) that apply to both standard and secure HTTP servers.
To verify the secure HTTP connection by using a Web browser, enter https://URL, where the URL is the IP address or hostname of the server switch. If you configure a port other than the default port, you must also specify the port number after the URL. For example:
Note |
AES256_SHA2 is not supported. |
https://209.165.129:1026
or
https://host.domain.com:1026
1. show ip http server status
2. configure terminal
3. ip http secure-server
4. ip http secure-port port-number
5. ip http secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]}
6. ip http secure-client-auth
7. ip http secure-trustpoint name
8. ip http path path-name
9. ip http access-class access-list-number
10. ip http max-connections value
11. ip http timeout-policy idle seconds life seconds requests value
01-05-2017 01:23 AM
I am using the WinScp:
01-05-2017 06:47 AM
I have never done do a direct scp like that from the terminal side , you would scp alright from the router like I posted earlier and pull from the pc or send to the pc using scp but its all done from the router side not the terminal , when your using scp/sftp it uses the ssh daemon to connect
have a look at this docs explains it better
https://supportforums.cisco.com/discussion/12537266/scp-copy
https://winscp.net/eng/docs/troubleshooting
01-05-2017 06:55 AM
No Firefox mozila, nor the Chrom, nor the IE are working fully on HTTPS.
SSH works.
SCP will work maybe only like you told me to do but not the WInScp.
01-05-2017 08:48 AM
01-05-2017 04:19 AM
now the https is working but again it only works in the begining and even gets the right username and password but after that when i pressing one of the dashbord icons it stucks on the blamk screen. see the attachments please.
anyway it lets me in to the https authentication with my username and password that i have created using command:
username "my username" privilege 15 secret 0 "my password"
but the WinSCP neither the SSH is working, see my next post here:
https://supportforums.cisco.com/discussion/13195486/winscp-and-putty-ssh
01-05-2017 06:08 AM
that's a software issue not a configuration issue , these guis they provide on routers and switches are buggy , if you https and it reaches the router then the protocol itself has worked
when your using putty , can you ssh to the public ip address 132.66.210.72
never mind SCP for the minute , check if ssh is working first as scp will only work if ssh is working
check on the router as well ---show ip ssh
it will return something like this but show it enabled
xxxxxx#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): xfr-b100vpn01.xilinx.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDlJcelsWpYmkzFYWnzNkbf09fDJE3BU9U1SfAp7OPR
ZvEQlTRj3yxivrC7+L12QzM0B1Y00T0QYJf+Qa+N2EIj8cCrk000tTEmONkf1KvlH9gzQrm7XlcbRc0W
ZhBWwNqVCG57QYLJjbmlmEb66PtxTwQxDvDDAASFaGd7OvBwyw==
01-05-2017 06:30 AM
as you can see "scp" does not work. "ssh" is working now. "ssl" works as before except the "white page" appears after clicking on one of the dashboards(DNS, INTERFACES, DHCP and ETC.)
01-05-2017 06:44 AM
01-05-2017 07:35 AM
you could try a different version of CCP if its not working right , it should be stored in flash , you can see it if you type dir in the router or show flash
You can download the verion here incase you have an old one installed
https://software.cisco.com/download/release.html?mdfid=281795035&softwareid=282159854&release=2.7
https://supportforums.cisco.com/document/62311/how-access-cisco-router-cisco-configuration-professional
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide