1841 => Unable to connect via SSH

Answered Question
Dec 17th, 2007
User Badges:

I am able to connect to this router via a crypto isakmp tunnel using telnet. However, I am unable to setup SSH on this thing. Can someone please assist me in what I may be missing. I am at a dead end now. I have posted router info and similar input below.



Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3), RELEASE SOFT

WARE (fc2)

======================================

ip domain name CISCO$.COM

ip ssh time-out 60

ip ssh port 2222 rotary 1

ip ssh source-interface FastEthernet0/0

ip ssh version 2

======================================

ip access-list extended CISCO

permit tcp x.x.x.x x.x.x.x any eq 2222

deny ip any any log

access-list 101 permit tcp x.x.x.x x.x.x.x any eq telnet

access-list 101 deny tcp any any eq telnet log

==========================================

line vty 0 4

access-class 101 in

exec-timeout 3 0

password xxxxxxxxxx

transport input all

transport output all

line vty 5 15

access-class CISCO in

password xxxxxxxx

transport input telnet ssh

transport output telnet ssh

=====================================



Correct Answer by gojericho0 about 9 years 5 months ago

The ip ssh port rotary command is only used for

terminal line access and not vty line access. Is everything else working ok now?

Correct Answer by gojericho0 about 9 years 5 months ago

that looks good...


what happens when you do a sh ip ssh?

Would there be any firewall or ACLs blocking port 22?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
gojericho0 Mon, 12/17/2007 - 12:29
User Badges:
  • Bronze, 100 points or more

Were you able to generate a key? If not create a domain-name which is needed to help generate the key


Router(config) ip domain-name Test.lcl


Router(config)#crypto key generate rsa



Lastly you will also need AAA enabled...to enable locally do the following:


Router (config)# aaa new-model

Router (config)# username password

Router (config)# ip ssh time-out

Router (config)# ip ssh authentication-retries

dphills18 Mon, 12/17/2007 - 12:47
User Badges:

This is what I have as my aaa config:


aaa new-model

!

!

aaa group server tacacs+ ecuacs

server x.x.x.x

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

Correct Answer
gojericho0 Mon, 12/17/2007 - 12:48
User Badges:
  • Bronze, 100 points or more

that looks good...


what happens when you do a sh ip ssh?

Would there be any firewall or ACLs blocking port 22?

dphills18 Mon, 12/17/2007 - 13:20
User Badges:

Well, I removed my ACL and I was able to get in. But only on port 22. I applied the "ip ssh port 2004 rotary 1 1" command, which I thought would make me have to use port 2004.


So I guess my question now is what does the port command do.


I played with my ACL and see that I can only connect using port 22.

Correct Answer
gojericho0 Mon, 12/17/2007 - 13:40
User Badges:
  • Bronze, 100 points or more

The ip ssh port rotary command is only used for

terminal line access and not vty line access. Is everything else working ok now?

dphills18 Mon, 12/17/2007 - 14:02
User Badges:

Everything is working great. Thank you so much.



P.S.

Is there a way to use a different port for SSH.

gojericho0 Mon, 12/17/2007 - 14:28
User Badges:
  • Bronze, 100 points or more

try doing this...


Router(config)# line vty 0 15

Router(config-line)# rotary 1


Router(config)#ip ssh port 2222 rotary 1


if you goto the vty lines first it may work bypassing the default tty, but i'm not 100 percent sure.


Also if this router is facing the internet, i would also force the ssh encryption of vty 0 4 as well.

dphills18 Mon, 12/17/2007 - 22:42
User Badges:

what do you mean when you say force the ssh encryption.

gojericho0 Tue, 12/18/2007 - 05:34
User Badges:
  • Bronze, 100 points or more

I just mean by default the rotary command works for tty lines. If you can use the command when you are in the vty line interface it may allow you to change the vty port. If you get a chance, try the commands in the previous post

Actions

This Discussion