okay this is the current running-config

Building configuration...

Current configuration : 8374 bytes
!
! Last configuration change at 07:58:32 UTC Sat Jun 4 2011 by Tim
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$rRBA$2K/pqwFsUzVxL8tF2VLcP/
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-3945582034
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3945582034
revocation-check none
rsakeypair TP-self-signed-3945582034
!
!
crypto pki certificate chain TP-self-signed-3945582034
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393435 35383230 3334301E 170D3131 30343236 31333137
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39343535
38323033 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100900D 6293E313 40744659 1E2A4047 E9844B53 240B241D 711B5B64 E75F2063
2D6CDE1B 52A3F448 BFEC9B67 16816048 04DBBD55 85235244 048CC4C4 DEDAA702
9954D740 D50B2ED8 3DF3F681 A5553D5B AEA90921 FB6C2757 C23B12D1 B8121A23
4B752336 A329E1A8 7E74AB8F 043D73AE D41FE2CA 1B3A238F 9071779C EF2B3A37
E2F70203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D52322E 63757273 6973742E 6265301F 0603551D 23041830
1680144A 5C914FA9 9D03D187 6DE957BE ED699CB0 46CB0530 1D060355 1D0E0416
04144A5C 914FA99D 03D1876D E957BEED 699CB046 CB05300D 06092A86 4886F70D
01010405 00038181 0027B4A2 5B66B9E9 5E579320 F280E047 3BDC4B0F AB852BFA
1C480D16 3C3E3A86 998EB525 56375C41 E92CA8DC D9EB2583 E685145D B536B4BD
7E1B3213 086CC86C FB20A91F 4A0A8A67 C5848F49 89BDF700 D6EA83FB 6533E802
6A0BA747 54476B9C 1060D035 DDA6C526 B6FED37E 0D1CB29F 7A8C4B11 46BAF5CD
706666CF 00E710A2 C9
quit
ip source-route
!
!
!
ip dhcp pool R2.CISCO_R2_2.4GHZ_Private
import all
network 20.20.10.0 255.255.255.0
default-router 20.20.10.1
dns-server 195.130.131.132 195.130.130.4
domain-name Thuis.be
lease infinite
!
ip dhcp pool R2.CISCO_R2_2.4GHZ_Study
import all
network 30.30.40.0 255.255.255.0
default-router 30.30.40.1
dns-server 195.130.131.132 195.130.130.4
domain-name Cursist.be
lease infinite
!
ip dhcp pool R2.CISCO_R2_2.4GHZ_Testing_Lab
import all
network 50.50.60.0 255.255.255.0
default-router 50.50.60.1
dns-server 195.130.131.132 195.130.130.4
domain-name Learning.be
lease infinite
!
ip dhcp pool R2.LAN
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 195.130.131.132 195.130.130.4
domain-name Local.be
lease infinite
!
ip dhcp pool R2.CISCO_R2_2.4GHZ_Guest
import all
network 40.40.30.0 255.255.255.0
default-router 40.40.30.1
dns-server 195.130.131.132 195.130.130.4
domain-name Guests.be
lease infinite
!
!
ip cef
ip domain name cursist.be
ipv6 unicast-routing
ipv6 cef
!
!
!
!
archive
log config
logging enable
path flash:R2.standard.running-config
username Tim privilege 15 secret 5 $1$SQFs$zojYx5GmAMV.1q33BwRxu0
username Cisco privilege 15 secret 5 $1$CdKz$SOMtjCVR5AO6GW6Ug23Rq/
!
!
ip ssh port 2000 rotary 30
ip ssh rsa keypair-name ************
ip ssh version 2
ip scp server enable
!
!
crypto isakmp policy 10000
encr aes 256
authentication pre-share
group 16
crypto isakmp key Cisco123 address **********
!
!
!
crypto map R2.CMAP 10000 ipsec-isakmp
set peer *************
set pfs group16
match address Remote-VPN
qos pre-classify
!
bridge irb
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description WAN
ip address dhcp client-id FastEthernet8
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0
description WAN
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map R2.CMAP
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
!
interface Vlan1
ip address 10.10.20.1 255.255.255.0
ip access-group VLAN1 in
ip nat inside
ip virtual-reassembly
!
!
interface Vlan2
ip address 20.20.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan3
ip address 30.30.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan4
ip address 40.40.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan5
ip address 50.50.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan6
ip address 60.60.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan8
ip address 80.80.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 10.10.10.1 22 interface GigabitEthernet0 4000
ip nat inside source static tcp 20.20.20.1 22 interface GigabitEthernet0 5000
ip nat inside source list R2-ACL-GE0 interface GigabitEthernet0 overload
ip nat inside source static tcp 20.20.10.16 3389 interface GigabitEthernet0 8000
!
ip access-list extended R2-ACL-GE0
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
deny ip 20.20.10.0 0.0.0.255 20.20.20.0 0.0.0.255
deny ip 30.30.40.0 0.0.0.255 30.30.30.0 0.0.0.255
deny ip 40.40.30.0 0.0.0.255 40.40.40.0 0.0.0.255
deny ip 50.50.60.0 0.0.0.255 50.50.50.0 0.0.0.255
deny ip 60.60.50.0 0.0.0.255 60.60.60.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 any
permit ip 20.20.10.0 0.0.0.255 any
permit ip 30.30.40.0 0.0.0.255 any
permit ip 40.40.30.0 0.0.0.255 any
permit ip 50.50.60.0 0.0.0.255 any
permit ip 60.60.50.0 0.0.0.255 any
ip access-list extended Remote-VPN
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 20.20.10.0 0.0.0.255 20.20.20.0 0.0.0.255
permit ip 30.30.40.0 0.0.0.255 30.30.30.0 0.0.0.255
permit ip 40.40.30.0 0.0.0.255 40.40.40.0 0.0.0.255
permit ip 50.50.60.0 0.0.0.255 50.50.50.0 0.0.0.255
permit ip 60.60.50.0 0.0.0.255 60.60.60.0 0.0.0.255
ip access-list extended VLAN1
deny icmp 10.10.20.0 0.0.0.255 20.20.10.0 0.0.0.255
deny icmp 10.10.20.0 0.0.0.255 30.30.40.0 0.0.0.255
deny icmp 10.10.20.0 0.0.0.255 40.40.30.0 0.0.0.255
deny icmp 10.10.20.0 0.0.0.255 50.50.60.0 0.0.0.255
permit ip any any
ip access-list extended VLAN2
deny icmp 20.20.10.0 0.0.0.255 10.10.20.0 0.0.0.255
deny icmp 20.20.10.0 0.0.0.255 30.30.40.0 0.0.0.255
deny icmp 20.20.10.0 0.0.0.255 40.40.30.0 0.0.0.255
deny icmp 20.20.10.0 0.0.0.255 50.50.60.0 0.0.0.255
permit ip any any
!
no cdp run

!
!
!
!
!
!
line con 0
password ******
transport preferred ssh
line aux 0
line vty 0 4
privilege level 15
password **********
rotary 30
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end

Umm I always thought that was for use on a Terminal Server, so I did a quick internet search and found the below - you should read it.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftrevssh.html

HTH

but I did not get the gate open

Does SSH work on port 22?

remove the password on the vty 0 - 4 and use "login local" instead. then, the local username should be used and SSH should be possible.

do get an answer if you use "telnet x.x.x.x 2000" ?

No can not to remote port 22 that I do not open

no it does not telnet? how can you solve that No can not to remote port 22 that I do not open

no it does not telnet? how can you solve that

line vty 0 15

transport input all

I did that but the port remains closed

line vty 0 15

login

I've tried but the port remains closed

Enter the "show control-plane host open-ports" command on the switch. here you can check if the switch is listening on this port. In my case, I changed the TCP Port to 2022 and denied Port 22 ond the outside ACL.

Router#show control-plane host open-ports

Active internet connections (servers and established)

Prot        Local Address      Foreign Address                  Service    State

tcp                 *:22                  *:0               SSH-Server   LISTEN

tcp                 *:23                  *:0                   Telnet   LISTEN

tcp               *:1723                  *:0                     PPTP   LISTEN

tcp               *:2022                  *:0               SSH-Server   LISTEN

udp              *:64743                  *:0                  IP SNMP   LISTEN

udp                 *:67                  *:0            DHCPD Receive   LISTEN

udp                *:123                  *:0                      NTP   LISTEN

udp                *:161                  *:0                  IP SNMP   LISTEN

udp                *:161                  *:0                  IP SNMP   LISTEN

udp                *:162                  *:0                  IP SNMP   LISTEN

udp                *:162                  *:0                  IP SNMP   LISTEN

udp              *:49781                  *:0                IP SNMPV6   LISTEN

If the "SSH-Server" on Port 22 or Port 2000 is not there, the SSH service is not running.

If Port 22 and port 2000 are listening, open a CMD or a shell on your PC and do a "telnet x.x.x.x  22" and a "telnet x.x.x.x 2000" to the switch, you should get an answer  like this:

"SSH-2.0-Cisco-1.25"

If this works, the cisco router is ssh-enabled and  port 22 and maybe on port 2000. you won't be able to manage it with  telnet, but that's how you can check the connection.

Try to make SSH up and running on port 22 first. after that, you just can add the rotary group commands and everything should work as expected. To do this, disable SSH by using the "no ip ssh ..." commands. after that, create a new RSA key with "crypto key generate rsa", make sure that the "ip domain name XYZ" is configured (which is already configured in your configuration above). Then, enable telnet and SSH on the VTY 0 to 15 (transport input telnet ssh), use "login local" on the VTY and make sure that no access-list is blocking your traffic.

line vty 0 15

no rotary 30

exit

no ip ssh version 2

no ip ssh port 2000 rotary 30

no ip ssh rsa keypair-name ************

ip domain name Thuis.be

crypto key generate rsa

-> 2048

line vty 0 15

transport input telnet ssh

login local

exit

after this, SSH should be possible on port 22. then, use the rotary group commands:

ip ssh port 2000 rotary 30

line vty 0 15

rotary 30

exit

Hope this helps.

Regards

Raphi

BTW: do you want to use Port 3030 (as mentioned in the first message) or port 2000 as mentioned in your configuration?

okay it works heartfelt thanks port 2000 is open, but now I have a question you can use the same gate served on a layer 3 switches

not sure if I really unterstand what you mean...

do you want to disable ssh on port 22?

there are two different ways:

use an ACL to deny any connection to port 22 on the outside interface (FastEthernet 8). In this way, port 22 is still accessible from the inside of the network and port 2000 is usable from the outside.

access-list 120 deny tcp any any eq 22

access-list 120 deny tcp any any eq 23

(access-list 120 deny tcp any 99.99.99.0 0.0.0.255 eq 22 --> if you know the IP range which will be assigned to the switch/router)

access-list 120 permit ip any any

the other option is to use an ACL on the VTY which permits access to port 2000 only. That means port 22 for SSH and port 23 for telnet can't be used anymore.

access-list 123 remark ALLOWS SSH TRAFFIC TO PORT 2000

access-list 123 permit tcp any any eq 2000

access-list 123 remark ALLOWS TELNET TRAFFIC TO PORT 2000

access-list 123 permit tcp any any eq 23

access-list 123 remark DENIES ALL OTHER TRAFFIC TO THE VTY

access-list 123 deny   ip any any log

line vty 0 15

access-class 123 in

exit

in both cases, you can use IP extended ACL if you want.

ip access-list extended DENYSSHFROMOUTSIDE

deny tcp any any range 22 23

permit ip any any

interf fastethernet8

ip access-list DENYSSHFROMOUTSIDE in

exit

ip access-list extended SSHPORT2000

permit tcp any any eq 2000

permit tcp any any eq 23

deny ip any any log (just to see if somebody tries to login)

exit

If you want to make sure that SSH is only accessible from the inside, use the following command:

control-plane host

management-interface vlan 1 allow --> allows all protocols like telnet, ssh, snmp, etc.

management-interface vlan 1 allow ssh telnet --> allows ssh and telnet only on vlan 1

Regards

Raphi

I will be okay in a way adner questions I have a layer 3 switches, the same way I do to open up port 2000?