Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Config SSH on 891W ISR?

I believe I have the steps done at the IOS to config the WAN port for SSH, but I still can't connect to it.  I have "logging console 7" on so I am able to see that the router is dropping my TCP session requests.  I figure this is just the built-in zone-based firewall at work. 

Is there a very straightforward process, via the IOS, to allow SSH inbound on the WAN port?  I'm not very familiar with the IOS other than basics so while I know how to do things like "transport input ssh" and "login local" and such on the vty 0 4 line, I have no idea whatsoever on what I should do with the firewall stuff.  I believce the WAN interface is already a member of the outside zone though so I imagine one just has to somehow include ssh (preferably on a non-standard port) in the exceptions on the firewall somehow. 

Can anybody help?  I have been poking around for a step-by-step IOS guide for this but only find info on configuring SSH itself but not how to open the firewall to allow the connection for it through. 

Thank you! 

Everyone's tags (7)
11 REPLIES

Config SSH on 891W ISR?

Can you post your policy, class map, acls and ssh config?

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Silver

Config SSH on 891W ISR?

Colin

I like the suggestions made by John and will add a request that you post the output of show ip ssh. This will verify whether SSH is really enabled on the router.

HTH

Rick

New Member

Re: Config SSH on 891W ISR?

I apologize guys for not replying on this sooner, I lost track of the thread basically.  So after posting in march, nothing has changed. 

rresults for sh ip ssh were that SSH is enabled, version 1.99, RSA key length 1024 with standard timeout and retry counts.  FWIW I just updated the IOS flash to 151-4.M4 in case that affects the sh run output in any way. 

I checked sh run for what's up with the vty lines.  vty 0 4 has transport input telnet ssh, as does the vty 5 15.  I'm not yet sure why the router seperates vty 0 4 and 5 15 (I assume these are ranges, thus 16 total virtual lines?) but anyway ssh seem sot be enabled on both. 

The class-map and access list stuff is copied into two text files attached to this post . Looking at the output, I bet the lack of "ssh" in there means something but I hvae no clue about what any of this stuff really means.

Also FWIW ssh works fine on the LAN (vlan1) interface. 

On a related note, would you recommend I learn this firewall stuff from say, an IOS firewall config guide of some sort or would I be better off first getting a CCNA level education before getting into specifics on things like IOS firewall? 

      

Thanks and I hope this thread hasn't fallen into the cracks.  TTT! 

Hall of Fame Super Silver

Config SSH on 891W ISR?

Colin

Thanks for the additional information (even if it is a bit late it is welcomed). The one thing that we can say for sure is that SSH is enabled on the router. So that is not the issue.

I gather that your main concern is to be able to connect to the router via SSH when you are coming from outside networks and this does not work. Does the statement about SSH and vlan 1 mean that SSH works ok when you are connecting from inside?

In general we can say that there are 2 things that would prevent SSH connection to the router.

- if there is an access-class configured on the vty then this controls who can establish connection to the router. So can you tell us whether there is an access-class configured on the vty?

- firewalls or access lists configured on the outside interface could also prevent SSH access. We do not have the full picture yet. But I am guessing that this is where your problem is.

You are correct that the display of vty 0 4 and 5 15 are ranges and that your router has 16 vty lines (which means that it could have 16 simultaneous remote sessions). The fact that it displays in 2 groups is for backward compatibility with older releases. There have always been 5 vty lines (0 4), So the IOS output parser has always displayed these as a group. Then IOS added support for additional vty lines. And to maintain compatibility with the old display it puts the new vty into a separate group.

My advice would be to get an understanding of basic router operations and configurations before you get deeply into firewall stuff. You are probably dealing with firewall issues right now and need to get some better understanding of firewall config. But I would not go too far with that before back tracking and working on the basic stuff.

HTH

Rick

Hall of Fame Super Silver

Config SSH on 891W ISR?

Colin

In re-reading the original post I noticed this: "so I am able to see that the router is dropping my TCP session requests." If you could post the messages that you are seeing they may help to confirm what the issue is.

HTH

Rick

New Member

Re: Config SSH on 891W ISR?

Hi Richard, thanks for your replies - rarely do people address each point or question posed especially when an item may not havce been central to the main subject (my question about vty lines), so thank you. 

If the vty line would havec an access-class defined, I am guessing it would show under the vty itself in sh run.  In either case there is no access-class info under vty sections, just in the general config that I had attached here previously. 

Something to add about this setup:  I used CP Express to intiially get the router configured so it's using whatever the default Basic Firewall settings , if that helps at all. 

Also, I originaly posted about one router in particular whilst the other ones I have were boxed still, but recently I've unboxed another one and have it here.  The only difference between this and the original live unit is that this 2nd one I've got here has a wan ip assigned but no real connection - consequently for testing I just change my PC's IP to be that of the next hop IP for the ISP but it's all internal on my network.  Not even sure if that would work but i se eno reason why not if it's just on the inside.  Here is the output for as requested, coming from the router this is connected to the ISP.  To compare, I'll set my PC's IP to the ISP next hop and tun logging console 7 on on this new router and see if that gets the same results as below.  :

006358: May 23 13:20:56.057 PCTime: %FW-6-LOG_SUMMARY: 5 packets were dropped fr

om xx.xx.xx.xx:22 => xx.xx.xx.xx:61729 (target:class)-(ccp-zp-self-out:ccp-icm

p-access)

006358: May 23 13:20:56.057 PCTime: %FW-6-LOG_SUMMARY: 5 packets were dropped fr

om xx.xx.xx.xx:22 =>xx.xx.xx.xx:61729 (target:class)-(ccp-zp-self-out:ccp-icm

p-access)

Hall of Fame Super Silver

Config SSH on 891W ISR?

Colin

Thanks for the additional information. The log messages do seem to indicate that the traffic is being dropped by the inspection. And this suggests that the solution is to add something in the inspection rules that would allow SSH.

And yes if there were an access-class configured it would show up under the line vty configuration.

HTH

Rick

Config SSH on 891W ISR?

Hi!

I didn't really understand what you wanted to achive, maybe because I didn't read through the whole conversation. But do you want to be able to SSH through the internet to your router or from the LAN?

New Member

Re: Config SSH on 891W ISR?

Richard, no specifics? Am I being urged to look up my own IOS commands to add SSH to the inspection Well, I shall do so and post back.  Meanwhile...

Henrik, yes that is correct sir.  Because I come in from a dynamic IP, I will probably have to open my WAN side to allow SSH from any host as opposed to a specific host or iP.  Anyway, I will have to do my research - hopefully the answer is clear once I find it

Config SSH on 891W ISR?

To open up your firewall for SSH from the internet, you need to add these lines:

class-map type inspect MANAGEMENT_CMAP

match protocol ssh

policy-map type inspect ccp-permit

class type inspect MANAGEMENT_CMAP

  pass

As you say, it's hard when you connect from a dynamic IP. But I maybe this there is a way, if you work with parameter-maps, but I haven't tested it.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

New Member

Re: Config SSH on 891W ISR?

Will do, still need to test something's first ... CCP put 290 fW commands to the iOS so I,ll get another router un boxed and try that. Also been doing good reading from guides on zbf so am learning now.

iPads suck for typing.

Sent from Cisco Technical Support iPad App

1803
Views
0
Helpful
11
Replies