paolo bevilacqua Sat, 08/07/2010 - 05:19
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Postages ???


Use english, or you will not be understood.

paolo bevilacqua Sun, 08/08/2010 - 01:52
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

That's not english either.

paolo bevilacqua Sun, 08/08/2010 - 13:18
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

And your question/problem is what exactly ?

pcfreak49 Sun, 08/08/2010 - 13:34
User Badges:

The problem is how can you open the port for ssh and telnet resident ?

paolo bevilacqua Mon, 08/09/2010 - 04:30
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

What are you trying to do? "open port" does not mean anything.

paolo bevilacqua Tue, 08/10/2010 - 10:38
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I gave up, it is impossible to understand what you want.

pcfreak49 Tue, 08/10/2010 - 10:48
User Badges:

sorry that you can understand me not well but I am simply of Belgium I want the port for telnet and open SSH on the router


sorry

Phillip Remaker Tue, 08/17/2010 - 13:42
User Badges:
  • Cisco Employee,

If you are trying to CONNECT to a router using SSH or Telnet, you want to use the "transport input" command to indicate what protocols may be used to connect to the router.  Example:


line vty 0 5  !(or whatever range you like)

transport input telnet

transport input ssh


telnet uses TCP port 23, SSH uses TCP port 22, so if you use access-lists you need to open the ports.


You need to enable some form of login credential checking, or connections will not be allowed.


SSH config notes:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml


Tips on Telnet Configuration:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_example09186a0080202614.shtml

pcfreak49 Tue, 08/17/2010 - 14:24
User Badges:

how can you set up access-list for telnet and SSH?

Phillip Remaker Tue, 08/17/2010 - 15:16
User Badges:
  • Cisco Employee,

There are two options:


1) If you want to RESTRICT PACKETS at the router, you can use access-list + access-group on the interfaces.


2) If you want to RESTRICT CONNECTIONS you can use access-list and access-class on the vtys


If you are just trying to limit which IP addresses are allowed to connect, (2) is the best practice.  If you have greater paranoia and don't even want to see connection attempts reach the OS from disallowed IP addresses, (1) is the way to go, but is not the best practice.


You may want to read http://articles.techrepublic.com.com/5100-10878_11-1052538.html.


When you use the access-class command, it applies to all incoming transports, incluidng SSH and telnet.

pcfreak49 Wed, 08/18/2010 - 06:36
User Badges:

that has already done but if I want remote I inlogen on Cisco get I the report time out

Phillip Remaker Wed, 08/18/2010 - 08:31
User Badges:
  • Cisco Employee,

Maybe you want to share the relvenant portions of your configuration?  It sounds like you are saying you have set up something (what?) and now cannot connect with SSH or telnet. Can you connect if there are no restrictions set up at all?


You may want to post a detailed description in French or Dutch (Flemish?) and see if we can us Google Translate or Babel Fish to understand the detail.

Phillip Remaker Wed, 08/18/2010 - 10:00
User Badges:
  • Cisco Employee,

So, the goal is to connect to the router using the SSH protocol, right?


1) Can you connect with SSH at all?


2) Are you trying to connect on the LAN side or the WAN side?


3) What happens when you try to connect?


4) What do you want to happen?

pcfreak49 Wed, 08/18/2010 - 10:07
User Badges:

1) ja ssh lukt


2) ik probeer ssh vanaf WAN side


3) wil remote kunnen inlogen op router zowel ssh als telnet


4) ik wil op de router werken vanaf een ander netwerk

Phillip Remaker Wed, 08/18/2010 - 10:57
User Badges:
  • Cisco Employee,

OK, got it.  You want to ALLOW remote conenction from SSH and/or telnet.


Right now, your configuration is using NAT and zone-based firewall (ZBFW).


Are you using SDM or CCP to configure the device?


The configuration seems correct, but I am not a ZBFW expert.


Looking at https://supportforums.cisco.com/thread/2012714, it seems like you may need to allow SSH and telnet in the "source self destination out-zone" path:



zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit


Your self to out path doesn't allow SSH and telnet.


policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
  pass
class type inspect ccp-icmp-access
  inspect
class class-default
  pass


WARNING:  this is just a guess.  Ask over in the Firewall group.

Phillip Remaker Wed, 08/18/2010 - 14:39
User Badges:
  • Cisco Employee,

I don't use CCP, but look at try asking in the firewalls forum.  It seems to be a firewall issue.

pcfreak49 Wed, 08/18/2010 - 23:25
User Badges:

ik gebruik cli soms ccp

omdat in cli meer kunt doen

Actions

This Discussion