Re: cann't access to router through SSH

webstd.design · ‎08-05-2009

Here is the config:

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 2801CCME

!

boot-start-marker

boot-end-marker

!

no logging buffered

!

no aaa new-model

memory-size iomem 5

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

username user password 0 cisco

username test privilege 15 password 0 cisco

username bob password 0 cisco

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

authentication pre-share

crypto isakmp key cisco address 10.2.1.2

crypto isakmp key cisco address 10.10.3.2

!

crypto ipsec transform-set my_tranform_set esp-3des esp-sha-hmac

crypto ipsec transform-set my_transform2 esp-3des esp-sha-hmac

crypto ipsec transform-set my_transform3 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to10.10.3.2

set peer 10.10.3.2

set transform-set my_transform3

match address 102

!

interface FastEthernet0/0

description $FW_INSIDE$

ip address 10.10.2.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 10.10.3.1 255.255.255.0

clock rate 64000

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

ip forward-protocol nd

!

ip http server

no ip http secure-server

!

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.2.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.3.0 0.0.0.255

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255

no cdp run

!

tacacs-server host 10.10.2.2

tacacs-server key CCNP

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login local

transport input ssh

!

end

WHat is wrong here?

Richard Burts · ‎08-05-2009

Alexandr

Given what is in the config that you posted I would guess that the most likely issue is whether you have generated RSA encryption keys which are required for SSH to work. Did you generate RSA encryption keys?

HTH

Rick

HTH

Rick

webstd.design · ‎08-05-2009

What i did

2801CCME(config)#ip domain-name cisco.com

2801CCME(config)#crypto key generate rsa

The name for the keys will be: 2801CCME.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

2801CCME(config)#

*Mar 1 01:04:30.083: %SSH-5-ENABLED: SSH 1.99 has been enabled

webstd.design · ‎08-05-2009

As I understood I couldn't access to router though SSH without had ip domain-name command configured. Am I right?

Richard Burts · ‎08-05-2009

Alexandr

As I understand it: having a domain name configured is required to be able to generate the RSA keys. And having RSA keys generated is required to access the router through SSH. So indirectly it is correct that you can not access the router via SSH without a domain name configured.

HTH

Rick

HTH

Rick

vcjones · ‎08-06-2009

My experience to date: You need a hostname and a domain name configured in order to generate RSA keys. Once you generate the RSA keys, you need to "copy run start" to keep them over a reboot. Once they are saved, you can change/delete hostname and domain name to your hearts content. Some of this behavior is probably IOS release or platform specific, so YMMV.

Vince

Richard Burts · ‎08-06-2009

My experience is different from Vince. I am not sure that copy run start is needed - though it certainly does not hurt. And in my experience if you change the host name then it invalidates the RSA keys and you need to re-generate the RSA keys.

HTH

Rick

HTH

Rick

vcjones · ‎08-06-2009

As I said in my original response, your mileage may vary. On the last systems I tested (1811s running 12.4(15)XY5) changing the hostname in the config had no impact on ssh accessibility while failure to save the first key generated with a "copy run start" did. I recall working on other devices which had a separate command to save the keys. Whether or not it should is a separate issue, as anyone who deals with routers knows. (In theory there is no difference between theory and practice, however, in practice, there is.)

Vince