Solved: 1841 => Unable to connect via SSH

dphills18 · ‎12-17-2007

I am able to connect to this router via a crypto isakmp tunnel using telnet. However, I am unable to setup SSH on this thing. Can someone please assist me in what I may be missing. I am at a dead end now. I have posted router info and similar input below.

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3), RELEASE SOFT

WARE (fc2)

======================================

ip domain name CISCO$.COM

ip ssh time-out 60

ip ssh port 2222 rotary 1

ip ssh source-interface FastEthernet0/0

ip ssh version 2

======================================

ip access-list extended CISCO

permit tcp x.x.x.x x.x.x.x any eq 2222

deny ip any any log

access-list 101 permit tcp x.x.x.x x.x.x.x any eq telnet

access-list 101 deny tcp any any eq telnet log

==========================================

line vty 0 4

access-class 101 in

exec-timeout 3 0

password xxxxxxxxxx

transport input all

transport output all

line vty 5 15

access-class CISCO in

password xxxxxxxx

transport input telnet ssh

transport output telnet ssh

=====================================

gojericho0 · ‎12-17-2007

that looks good...

what happens when you do a sh ip ssh?

Would there be any firewall or ACLs blocking port 22?

View solution in original post

gojericho0 · ‎12-17-2007

The ip ssh port rotary command is only used for

terminal line access and not vty line access. Is everything else working ok now?

View solution in original post

gojericho0 · ‎12-17-2007

Were you able to generate a key? If not create a domain-name which is needed to help generate the key

Router(config) ip domain-name Test.lcl

Router(config)#crypto key generate rsa

Lastly you will also need AAA enabled...to enable locally do the following:

Router (config)# aaa new-model

Router (config)# username password

Router (config)# ip ssh time-out

Router (config)# ip ssh authentication-retries

dphills18 · ‎12-17-2007

This is what I have as my aaa config:

aaa new-model

!

aaa group server tacacs+ ecuacs

server x.x.x.x

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

gojericho0 · ‎12-17-2007

that looks good...

what happens when you do a sh ip ssh?

Would there be any firewall or ACLs blocking port 22?

dphills18 · ‎12-17-2007

Well, I removed my ACL and I was able to get in. But only on port 22. I applied the "ip ssh port 2004 rotary 1 1" command, which I thought would make me have to use port 2004.

So I guess my question now is what does the port command do.

I played with my ACL and see that I can only connect using port 22.

gojericho0 · ‎12-17-2007

The ip ssh port rotary command is only used for

terminal line access and not vty line access. Is everything else working ok now?

dphills18 · ‎12-17-2007

Everything is working great. Thank you so much.

P.S.

Is there a way to use a different port for SSH.

gojericho0 · ‎12-17-2007

try doing this...

Router(config)# line vty 0 15

Router(config-line)# rotary 1

Router(config)#ip ssh port 2222 rotary 1

if you goto the vty lines first it may work bypassing the default tty, but i'm not 100 percent sure.

Also if this router is facing the internet, i would also force the ssh encryption of vty 0 4 as well.

dphills18 · ‎12-17-2007

what do you mean when you say force the ssh encryption.

gojericho0 · ‎12-18-2007

I just mean by default the rotary command works for tty lines. If you can use the command when you are in the vty line interface it may allow you to change the vty port. If you get a chance, try the commands in the previous post