Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

how change ssh default port on router ?

ive mad :

1- ip domian name sss

2- local username

3-crypto key generate rsa , then i choosed 1024 bits

4- for line vty i put ===>transport input ssh

5- login local

but i want to ask about how to change the port from 22 to another port ???

regards

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: how change ssh default port on router ?

Hello Inayath,

I am afraid this will not work. The ip port-map command is used by the IP Inspect (former CBAC) to define port-to-application mappings. However, it is not going to move your local SSH daemon to a different port.

What worked for me is this:

ip ssh port 2222 rotary 1

!

line vty 0 15

rotary 1

This configuration assigns VTY lines 0 through 15 into the rotary group 1 for which the SSH can be reached on the port 2222. The SSH will still be listening on port 22 as well so if this is not desired, an ACL will be necessary to prevent logging into the device using the ordinary IP port:

ip access-list extended DenyStdSSH

deny tcp any any eq 22

permit ip any any

!

line vty 0 15

access-class DenyStdSSH in

Best regards,

Peter

10 REPLIES
Cisco Employee

how change ssh default port on router ?

I havent tried this personally but i could found this:

can you issur this command ?

sh ip port-map ssh

if you see port 22 you can change it like this:

ip port-map ssh port xyz

HTH,  please rate if this helps

Cisco Employee

Re: how change ssh default port on router ?

Hello Inayath,

I am afraid this will not work. The ip port-map command is used by the IP Inspect (former CBAC) to define port-to-application mappings. However, it is not going to move your local SSH daemon to a different port.

What worked for me is this:

ip ssh port 2222 rotary 1

!

line vty 0 15

rotary 1

This configuration assigns VTY lines 0 through 15 into the rotary group 1 for which the SSH can be reached on the port 2222. The SSH will still be listening on port 22 as well so if this is not desired, an ACL will be necessary to prevent logging into the device using the ordinary IP port:

ip access-list extended DenyStdSSH

deny tcp any any eq 22

permit ip any any

!

line vty 0 15

access-class DenyStdSSH in

Best regards,

Peter

Re: how change ssh default port on router ?

Cisco Employee

Re: how change ssh default port on router ?

Hi John,

Thanks for joining. That blog basically describes the approach I have suggested myself, doesn't it?

Best regards,

Peter

Re: how change ssh default port on router ?

yeah you did. sorry i missed your response. I only saw the first response on my phone.

New Member

Re: how change ssh default port on router ?

hi ,

thanks all ,

ive changed ssh port successfully .

thanks alot ,

im i have some sadness cause i have switch 2960g doesnt support rotary ssh commands

i dont know if  the issue from my ios or from the platform

my ios ver :

=======================================================

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

NS-Switch uptime is 22 weeks, 2 days, 14 hours, 14 minutes

System returned to ROM by power-on

System image file is "flash:/c2960-lanbasek9-mz.122-55.SE1.bin"

-===============================================================

regards

New Member

Re: how change ssh default port on router ?

Hi ,

I am also not too sure why your 2960 wouldn't support Rotary SSH commands because it seems to be a compatible IOS version.

The command history suggests it 's been introduced in 12.2(2) T

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1056964

May be LAN Base ? Thats why ?

Regards,
Anup

Regards, Anup Don't forget to rate if you found this helpful !
New Member

Re: how change ssh default port on router ?

you may be correct  , i think lanbase doesnt support ip ssh port xx

New Member

Guys here is a video i found

Guys here is a video i found summarise all the steps .

https://www.youtube.com/watch?v=9Dqcp7zS7zg

good luck 

New Member

Re: how change ssh default port on router and allow only specific IPs?

Enable SSH first 

 

ip domain-name Cisco.com

crypto key generate rsa

 

(use 1024) bit 

 

 

Use Rotary command first for SSH port 

 

ip ssh port 8888 rotary 1

 

create access list to block standard SSH port and also if you want specific IP to allow add them in list.

 

ip access-list ex SSH_PORT_IP_allow
   10 deny tcp any any eq 22
   20 permit tcp host 10.2.3.7 any eq 8888
   30 permit tcp host 10.2.3.9 any eq 8888
   40 permit tcp host 10.2.3.9 any eq 8888
   50 deny tcp any any eq 8888


then apply on VTY lines 

 

Line VTY 0 15 

access-class SSH_PORT_IP_allow in
rotary 1

transport input ssh

5536
Views
5
Helpful
10
Replies
CreatePlease to create content