changing ssh port?

Answered Question

i'm trying to change the ssh port on my cisco 850 (ios v12.4(4)T4)

i found the following instructions: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804831de.html#wp1020480

but the more i read on this, the more i think that is just talking about reverse ssh.

i want to change the port the router listens for ssh sessions on. is this possible? should i just forward an outside port to the internal ip address on port 22?

I have this problem too.
0 votes
Correct Answer by vsurillo about 9 years 7 months ago

I have a Cisco 800 Series router running 12.3(7)T7 and have been successful in changing my SSH port using something similar to the information provided in the link that you referenced.

I don't recall where I found the config info, but here it is:

Router(config)# ip ssh port 2229 rotary 62

Router(config)# access-list 129 permit tcp x.x.x.x 0.0.0.x any eq 2229

Router(config)# line vty 0 4

Router(config-line)# access-class 129 in

The first line sets the SSH port to 2229 -- pick any port that doesn't conflict with something important

The rotary group is arbitrary and is NOT tied to a specific VTY line number

The access list prevents any other ports from accessing the router -- fill in the appropriate subnet and wildcard mask

That's all there is to it. I've tried several simultaneous sessions using the same port number without a problem.

The one thing to watch out for is AAA. If you follow the example shown in your link using the statement "login authentication default", you must enable AAA using "aaa new-model" and follow with a command specifying where the password(s) will be checked.

This could be "aaa authentication login default group tacacs+ local" if you're using a TACACS+ server with a fallback to the local database on the router, or something as simple as "aaa authentication login default local" to use the local database on the router.

Hope this helps!!

Please provide feedback so that I know whether or not this worked for you.

Thanks!

vrs

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
vsurillo Thu, 02/15/2007 - 02:05

I have a Cisco 800 Series router running 12.3(7)T7 and have been successful in changing my SSH port using something similar to the information provided in the link that you referenced.

I don't recall where I found the config info, but here it is:

Router(config)# ip ssh port 2229 rotary 62

Router(config)# access-list 129 permit tcp x.x.x.x 0.0.0.x any eq 2229

Router(config)# line vty 0 4

Router(config-line)# access-class 129 in

The first line sets the SSH port to 2229 -- pick any port that doesn't conflict with something important

The rotary group is arbitrary and is NOT tied to a specific VTY line number

The access list prevents any other ports from accessing the router -- fill in the appropriate subnet and wildcard mask

That's all there is to it. I've tried several simultaneous sessions using the same port number without a problem.

The one thing to watch out for is AAA. If you follow the example shown in your link using the statement "login authentication default", you must enable AAA using "aaa new-model" and follow with a command specifying where the password(s) will be checked.

This could be "aaa authentication login default group tacacs+ local" if you're using a TACACS+ server with a fallback to the local database on the router, or something as simple as "aaa authentication login default local" to use the local database on the router.

Hope this helps!!

Please provide feedback so that I know whether or not this worked for you.

Thanks!

vrs

vsurillo Thu, 02/15/2007 - 09:02

Glad to be of help.

Thanks for the feedback -- it's good to know when something works.

vrs

Actions

This Discussion