SSH and telnet port open

Unanswered Question
Aug 6th, 2010

hello I have a question know there sometimes someone how you the port of SSH and telnet putting on Cisco 800 series

who can help me please

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pcfreak49 Sun, 08/08/2010 - 13:34

The problem is how can you open the port for ssh and telnet resident ?

pcfreak49 Tue, 08/10/2010 - 10:48

sorry that you can understand me not well but I am simply of Belgium I want the port for telnet and open SSH on the router

sorry

Phillip Remaker Tue, 08/17/2010 - 13:42

If you are trying to CONNECT to a router using SSH or Telnet, you want to use the "transport input" command to indicate what protocols may be used to connect to the router.  Example:

line vty 0 5  !(or whatever range you like)

transport input telnet

transport input ssh

telnet uses TCP port 23, SSH uses TCP port 22, so if you use access-lists you need to open the ports.

You need to enable some form of login credential checking, or connections will not be allowed.

SSH config notes:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Tips on Telnet Configuration:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_example09186a0080202614.shtml

Phillip Remaker Tue, 08/17/2010 - 15:16

There are two options:

1) If you want to RESTRICT PACKETS at the router, you can use access-list + access-group on the interfaces.

2) If you want to RESTRICT CONNECTIONS you can use access-list and access-class on the vtys

If you are just trying to limit which IP addresses are allowed to connect, (2) is the best practice.  If you have greater paranoia and don't even want to see connection attempts reach the OS from disallowed IP addresses, (1) is the way to go, but is not the best practice.

You may want to read http://articles.techrepublic.com.com/5100-10878_11-1052538.html.

When you use the access-class command, it applies to all incoming transports, incluidng SSH and telnet.

pcfreak49 Wed, 08/18/2010 - 06:36

that has already done but if I want remote I inlogen on Cisco get I the report time out

Phillip Remaker Wed, 08/18/2010 - 08:31

Maybe you want to share the relvenant portions of your configuration?  It sounds like you are saying you have set up something (what?) and now cannot connect with SSH or telnet. Can you connect if there are no restrictions set up at all?

You may want to post a detailed description in French or Dutch (Flemish?) and see if we can us Google Translate or Babel Fish to understand the detail.

Phillip Remaker Wed, 08/18/2010 - 10:00

So, the goal is to connect to the router using the SSH protocol, right?

1) Can you connect with SSH at all?

2) Are you trying to connect on the LAN side or the WAN side?

3) What happens when you try to connect?

4) What do you want to happen?

pcfreak49 Wed, 08/18/2010 - 10:07

1) ja ssh lukt

2) ik probeer ssh vanaf WAN side

3) wil remote kunnen inlogen op router zowel ssh als telnet

4) ik wil op de router werken vanaf een ander netwerk

Phillip Remaker Wed, 08/18/2010 - 10:57

OK, got it.  You want to ALLOW remote conenction from SSH and/or telnet.

Right now, your configuration is using NAT and zone-based firewall (ZBFW).

Are you using SDM or CCP to configure the device?

The configuration seems correct, but I am not a ZBFW expert.

Looking at https://supportforums.cisco.com/thread/2012714, it seems like you may need to allow SSH and telnet in the "source self destination out-zone" path:

zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit

Your self to out path doesn't allow SSH and telnet.

policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
  pass
class type inspect ccp-icmp-access
  inspect
class class-default
  pass

WARNING:  this is just a guess.  Ask over in the Firewall group.

Phillip Remaker Wed, 08/18/2010 - 14:39

I don't use CCP, but look at try asking in the firewalls forum.  It seems to be a firewall issue.

Actions

This Discussion