×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Router Remote Management Access

Unanswered Question
Dec 13th, 2005
User Badges:

Hi,

I have a 1841 router with ios 12.4(3a). This router is at remote end and I want to access it with SSH(22/tcp). I have enable the ACL for it and loged it.

The log shows permited from my H.O global ip to B.O(1841) gloabl ip(22/tcp). But I get error saying "Network Error:Connection refused".

I am using PuTTY application for SSH.

Log details from router:

%SEC-6IPACCESSLOGP:list 101 permitted tcp A.B.C.53(1925)-> X.Y.Z.45(22), 1 packet

http secure server is enabled and RSA key is set in the router.

Can some body help on it please.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
spremkumar Wed, 12/14/2005 - 00:35
User Badges:
  • Red, 2250 points or more

hi



Have u configured transport input ssh under the line vty mode ??


thats reqd to allow SSH connections but by default its just telnet which is permitted on the line vty.


regds


examples20001 Wed, 12/14/2005 - 01:14
User Badges:

Thank you very much for the reply.

Yes, it is configured.


interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address x.y.z.45 255.255.255.0

ip access-group 101 in

!

access-list 101 permit tcp any host x.y.z.45 eq 22 log

:

:

access-list 102 permit ip 172.29.96.0 0.0.0.31 any

access-list 102 deny ip any any

!

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport preferred all

transport input telnet ssh

transport output all

!

examples20001 Wed, 12/14/2005 - 05:03
User Badges:

Hi,

The remote access with SSH is ok now after changing the ACL of 102. But the log for ACL 102 is showing as access from H.O(A.B.C.53) to IP address 0.0.0.0(22).

Why is it so? Is this a security flaw?


!

access-list 102 permit tcp any any eq 22 log

access-list 102 permit ip 172.29.96.0 0.0.0.31 any

access-list 102 deny ip any any

!

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport preferred all

transport input telnet ssh

transport output all

!


%SEC-6IPACCESSLOGP:list 101 permitted tcp A.B.C.53(1625)-> X.Y.Z.45(22), 1 packet

%SEC-6IPACCESSLOGP:list 102 permitted tcp A.B.C.53(1758)-> 0.0.0.0(22), 1 packet


Richard Burts Wed, 12/14/2005 - 12:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is really not a security flaw. It is the fact that you used a different kind of access list. The normal usage of access list for access-class on vty is to use a standard access list. A standard access list identifies a single address (or address range) that is permitted to have remote access. An extended access list makes the logic much more complex when it identifies two address ranges, which we usually interpret as source address and destination address.


One of the advantages of access-class is that the logic that applies it realizes that any address on the router might be the destination address. If you attempted to control remote access via access-group applied to interfaces, you would have to put in a line for every interface on the router with an IP address. The logic in access-class consolidates them and says that any access attempt to any interface on the router, and so it represents the destination as 0.0.0.0. It is a feature not a flaw.


HTH


Rick

Actions

This Discussion