SSH troubleshooting - Cisco 1811

Answered Question
Aug 20th, 2010

Hi,

I'm having trouble getting SSH to work. I'm new to cisco lacking the knowlege how to troubleshoot the whole thing. I have working SSH on another 1811 device, so I screwed something on here.

Right now I'm trying to connect to inside interface 9 (vlan88). Since I don't know how to check for listening ports I use NMAP to scan for listening ports from outside.

"All 100 scanned ports on (192.168.8.254) are closed"

When I assign access 101 list to vlan 88 the NMAP output changes a little bit

"PORT   STATE  SERVICE
22/tcp closed ssh"

There is obviously nothing listening on port 22.

Here is my running config. Thanks in advance!

Current configuration : 6088 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hydra02
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3392109368
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3392109368
revocation-check none
rsakeypair TP-self-signed-3392109368
!
!
crypto pki certificate chain TP-self-signed-3392109368
certificate self-signed 01
! XXXXXXXXXXXXXXXXXXXXXX
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
no ip domain lookup
ip domain name XXXXXXXX
!
multilink bundle-name authenticated
!
!
username ciscosdl privilege 15 secret 5 XXXXXXXXXXXXXXXXX
!
!
archive
log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
switchport access vlan 88
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan55
no ip address
!
interface Vlan88
ip address 192.168.8.254 255.255.255.0
ip access-group 101 in
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXXXXXX
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat outside source list 1 interface Dialer0
!
access-list 1 remark INSIDE_IF=Vlan88
access-list 1 permit 192.168.8.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit tcp 192.168.8.0 0.0.0.255 host 192.168.8.254 eq 22
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner exec ^C
^C
!
line con 0
exec-timeout 5 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 101 in
exec-timeout 5 0
privilege level 15
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
end

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 6 years 3 months ago

Sebastian,

Your ACL 101 is too brief and is used, in my opinion, improperly, as it is placed both on the VLAN interface and on the line vty. Let's remove it for now and make tests without ACLs.

You can remove the offending commands using the following sequence of commands (you can paste them directly to your router in global configuration mode):

interface Vlan88

no ip access-group 101 in

line vty 0 4

no access-class 101 in

line vty 5 15

no access-class 23 in

Second, you have forced your router to use SSHv2. That is very good but it requires generating RSA keypair with at least 768-bit long modulus. Have you generated such a keypair (or have you generated some at all)? If you are not sure then let's erase the existing keypair and generate a new one. Again, the following commands are to be used in the global configuration mode:

crypto key zeroize rsa

crypto key generate rsa modulus 1024

Try this and let us know if it worked for you.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Peter Paluch Fri, 08/20/2010 - 01:46

Sebastian,

Your ACL 101 is too brief and is used, in my opinion, improperly, as it is placed both on the VLAN interface and on the line vty. Let's remove it for now and make tests without ACLs.

You can remove the offending commands using the following sequence of commands (you can paste them directly to your router in global configuration mode):

interface Vlan88

no ip access-group 101 in

line vty 0 4

no access-class 101 in

line vty 5 15

no access-class 23 in

Second, you have forced your router to use SSHv2. That is very good but it requires generating RSA keypair with at least 768-bit long modulus. Have you generated such a keypair (or have you generated some at all)? If you are not sure then let's erase the existing keypair and generate a new one. Again, the following commands are to be used in the global configuration mode:

crypto key zeroize rsa

crypto key generate rsa modulus 1024

Try this and let us know if it worked for you.

Best regards,

Peter

OSJF2009SDL Fri, 08/20/2010 - 02:49

Thank you Peter!

one of the steps you suggested fixed the issue, NMAP output:

PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet

Actions

This Discussion