Colin

I like the suggestions made by John and will add a request that you post the output of show ip ssh. This will verify whether SSH is really enabled on the router.

HTH

Rick

I apologize guys for not replying on this sooner, I lost track of the thread basically.  So after posting in march, nothing has changed. 

rresults for sh ip ssh were that SSH is enabled, version 1.99, RSA key length 1024 with standard timeout and retry counts.  FWIW I just updated the IOS flash to 151-4.M4 in case that affects the sh run output in any way. 

I checked sh run for what's up with the vty lines.  vty 0 4 has transport input telnet ssh, as does the vty 5 15.  I'm not yet sure why the router seperates vty 0 4 and 5 15 (I assume these are ranges, thus 16 total virtual lines?) but anyway ssh seem sot be enabled on both. 

The class-map and access list stuff is copied into two text files attached to this post . Looking at the output, I bet the lack of "ssh" in there means something but I hvae no clue about what any of this stuff really means.

Also FWIW ssh works fine on the LAN (vlan1) interface. 

On a related note, would you recommend I learn this firewall stuff from say, an IOS firewall config guide of some sort or would I be better off first getting a CCNA level education before getting into specifics on things like IOS firewall? 

Thanks and I hope this thread hasn't fallen into the cracks.  TTT! 

Colin

Thanks for the additional information (even if it is a bit late it is welcomed). The one thing that we can say for sure is that SSH is enabled on the router. So that is not the issue.

I gather that your main concern is to be able to connect to the router via SSH when you are coming from outside networks and this does not work. Does the statement about SSH and vlan 1 mean that SSH works ok when you are connecting from inside?

In general we can say that there are 2 things that would prevent SSH connection to the router.

- if there is an access-class configured on the vty then this controls who can establish connection to the router. So can you tell us whether there is an access-class configured on the vty?

- firewalls or access lists configured on the outside interface could also prevent SSH access. We do not have the full picture yet. But I am guessing that this is where your problem is.

You are correct that the display of vty 0 4 and 5 15 are ranges and that your router has 16 vty lines (which means that it could have 16 simultaneous remote sessions). The fact that it displays in 2 groups is for backward compatibility with older releases. There have always been 5 vty lines (0 4), So the IOS output parser has always displayed these as a group. Then IOS added support for additional vty lines. And to maintain compatibility with the old display it puts the new vty into a separate group.

My advice would be to get an understanding of basic router operations and configurations before you get deeply into firewall stuff. You are probably dealing with firewall issues right now and need to get some better understanding of firewall config. But I would not go too far with that before back tracking and working on the basic stuff.

HTH

Rick

Colin

In re-reading the original post I noticed this: "so I am able to see that the router is dropping my TCP session requests." If you could post the messages that you are seeing they may help to confirm what the issue is.

HTH

Rick

Hi Richard, thanks for your replies - rarely do people address each point or question posed especially when an item may not havce been central to the main subject (my question about vty lines), so thank you. 

If the vty line would havec an access-class defined, I am guessing it would show under the vty itself in sh run.  In either case there is no access-class info under vty sections, just in the general config that I had attached here previously. 

Something to add about this setup:  I used CP Express to intiially get the router configured so it's using whatever the default Basic Firewall settings , if that helps at all. 

Also, I originaly posted about one router in particular whilst the other ones I have were boxed still, but recently I've unboxed another one and have it here.  The only difference between this and the original live unit is that this 2nd one I've got here has a wan ip assigned but no real connection - consequently for testing I just change my PC's IP to be that of the next hop IP for the ISP but it's all internal on my network.  Not even sure if that would work but i se eno reason why not if it's just on the inside.  Here is the output for as requested, coming from the router this is connected to the ISP.  To compare, I'll set my PC's IP to the ISP next hop and tun logging console 7 on on this new router and see if that gets the same results as below.  :

006358: May 23 13:20:56.057 PCTime: %FW-6-LOG_SUMMARY: 5 packets were dropped fr

om xx.xx.xx.xx:22 => xx.xx.xx.xx:61729 (target:class)-(ccp-zp-self-out:ccp-icm

p-access)

006358: May 23 13:20:56.057 PCTime: %FW-6-LOG_SUMMARY: 5 packets were dropped fr

om xx.xx.xx.xx:22 =>xx.xx.xx.xx:61729 (target:class)-(ccp-zp-self-out:ccp-icm

p-access)

Colin

Thanks for the additional information. The log messages do seem to indicate that the traffic is being dropped by the inspection. And this suggests that the solution is to add something in the inspection rules that would allow SSH.

And yes if there were an access-class configured it would show up under the line vty configuration.

HTH

Rick

Hi!

I didn't really understand what you wanted to achive, maybe because I didn't read through the whole conversation. But do you want to be able to SSH through the internet to your router or from the LAN?

Richard, no specifics? Am I being urged to look up my own IOS commands to add SSH to the inspection Well, I shall do so and post back.  Meanwhile...

Henrik, yes that is correct sir.  Because I come in from a dynamic IP, I will probably have to open my WAN side to allow SSH from any host as opposed to a specific host or iP.  Anyway, I will have to do my research - hopefully the answer is clear once I find it

To open up your firewall for SSH from the internet, you need to add these lines:

class-map type inspect MANAGEMENT_CMAP

match protocol ssh

policy-map type inspect ccp-permit

class type inspect MANAGEMENT_CMAP

  pass

As you say, it's hard when you connect from a dynamic IP. But I maybe this there is a way, if you work with parameter-maps, but I haven't tested it.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Will do, still need to test something's first ... CCP put 290 fW commands to the iOS so I,ll get another router un boxed and try that. Also been doing good reading from guides on zbf so am learning now.

iPads suck for typing.

Sent from Cisco Technical Support iPad App