cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14741
Views
0
Helpful
32
Replies

Basic Router SSH Access

Michael Reyes
Level 1
Level 1

Hello Cisco Experts,

I need to configure a 2921 ISR.  Basic config below.  Nothing elaborate as far as config goes.  Inside traffic routing outside.  GE0/0 - External IP and GE0/1 - Internap IP.  I'm trying to telnet to the GE0/0 interface, but it's not working.  Did I miss something?  This is a brand new router I received this afternoon.  Ultimately I need to enable SSH and restrict access to two remote IP addresses (x.x.x.244 & x.x.x.246)

Any assistance would be greatly appreciated.

Thanks,

Michael

Basic Configuration Below

*************************************************************************************************

Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!        
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01

Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!        
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01
          quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username my_username privilege 15 secret 4 *******
!
redundancy
!
!
!        
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!        
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Removed

-----------------------------------------------------------------------
^C
!        
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!        
scheduler allocate 20000 1000
end

cv_router_2921#

        quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username username privilege 15 secret 4 *******
!
redundancy
!
!
!        
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!        
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Removed

-----------------------------------------------------------------------
^C
!        
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!        
scheduler allocate 20000 1000
end

cv_router_2921#

1 Accepted Solution

Accepted Solutions

Michael

Thanks for the additional explanation. That does help.

Am I correct that the ping problem was just a transposition of octets in the address? Or is there still some problem with pinging?

HTH

Rick

HTH

Rick

View solution in original post

32 Replies 32

John Blakley
VIP Alumni
VIP Alumni

Michael,

You'll need to remove the default acl on the line:

line vty 0 4

no access-class 23 in

That'll get you into the router with telnet.

HTH,

John

HTH, John *** Please rate all useful posts ***

Hello John,

Thank you for the post.  I've left for the day and will try that in the am.  Also as mentioned, ultimately, I want to remove telnet and enable ssh with an ACL to the outside interface of the router.  I'm going to review that this evening at home so that I can try out my config when I get into the office in the morning.

I'll let you know how it goes tomorrow,

Michael

Hi,

additionally to removing the acess-class, you should always configure all vty-lines:

line vty 0 15

xxxx

That way you'l have the same config on all lines and not what is in your config where some lines are enabled for SSH, but some are not. Probably that's not intended?

Regards, Karsten

Sent from Cisco Technical Support iPad App

Hello Karsten,

I found it odd that it showed up that way as I entered the command as you included in your post.  Any idea why that would be? 

Michael

sebastian.lemke
Level 1
Level 1

Enable *only* SSH on all VTY lines:

conf t

line vty 0 15

transport input ssh

exit

crypto key generate rsa general-keys modulus 1024

The last command is needed to generate a crypto key, which is used in each SSH session.

I'd also recommend setting a new username and enable secret:

username USER privilege 15 secret 0 PASSWORD

enable secret 0 PASSWORD

HI Try this:

Config t

line con 0

login local

line aux 0

line vty 0 4

login local

transport input telnet ssh

transport output all

!

scheduler allocate 20000 1000

Regards

please rate if it helps.

After reviewing posts, I've made recommended changes.  Removing the ACL did no allow me to telnet to the router.  'm taking this one step at a time and will start with telnet access.  Once that's resolved, I'll move on to ssh access, and then finally on to ACLs.

Below is the snipet from the config around the VTY usage.  Any insight into the "line 2" part of the config?  The telnet config is very basic and I've configured telnet on other devices in the past.  Not sure why I'm having difficulty now.

This is how I've set up the devices:

[My Laptop - RJ-45]  --  Cross-Over Cable  -->  [Router E0/0]

xx.xx.xx.133 255.255.255.252                        xx.xx.xx.134 255.255.255.252

[My Laptop - Serial]  --  Serial Cable          -->  [Router Console Port]

line con 0

exec-timeout 0 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 7 1313030B341E0B3F3F213A616C7042

login local

transport input telnet

transport output all

line vty 5 15

privilege level 15

password 7 06101B38735C060C1112005955567B

login local

transport input telnet

transport output all

!

scheduler allocate 20000 1000

end

the "line 2" config is typically used for modules in the router, so that is probably not relevant for this problem.

The "line vty" looks ok. Do you have any interface-ACLs at the moment?

Do you have basic connectivity? I.E. you can ping your router or if not do you see the other device in the ARP-Cache?

And: How far do you get with your test? Telnet-Access can go wrong in multiple ways.

Up until about 5 minutes ago I had console access.  I enter username/password that I created and I am receiving invalid login.

Username: Root

Password:

% Login invalid

Any ideas?  If needed, I'll need to reset to default.

Regarding your other questions:

  • I had my laptop and a spare connected to E0/1 & E0/2 respectively.
  • Each laptop was configured with appropriate IP addresses for the IP addressing information configured on the connected interface.
  • From each laptop, i was able to ping the interfaces on the router as well as to the laptop on the other interface.

Michael

and you configured a username "Root" with a corresponding password or secret?

I configured the following:

username root privilege 15 secret 0 *********

enable secret 0 ********

I just added another discussion regarding my issues with the password recovery procedure.  I need to get that resolved before proceeding with these steps.

Hello Karsten,

I'm back working my telnet/ssh/acl issue.  From my laptop, I am able to ping the interface of the router.  I removed the default ACL

access-list 23 permit 10.10.10.0 0.0.0.7

no access-list 23 permit 10.10.10.0 0.0.0.7

Michael

Removing the access list 23 is a good thing. But more important is to make sure that the vty lines no longer have the access-class configured, since that is what actually controls remote access.

Is this still the accurate listing of the config for the vty lines

line vty 0 4

privilege level 15

password 7 1313030B341E0B3F3F213A616C7042

login local

transport input telnet

transport output all

If this is the configuration then I would expect that telnet to the router address from a connected device should prompt for a user name and password and should authenticate using the user name and password that you have configured on the router. Is that what is happening?

HTH

Rick

HTH

Rick

Hello Rick,

That is correct.  I found my IP had an incorrect network octet.  I do get prompted for username/password now.

Is there a way to configure a network object to control access.  Here is what I'm trying to figure out.

Create an object called Allowed_SSH_IP

Add x.x.x.224 and x.x.x.246

Configure SSH on the outside interface to only allow IP addresses in this object.

Does that make sense?

Michael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: