Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
3
Replies

changing ssh port?

Go to solution
donny
Level 1
Level 1

‎02-14-2007 12:31 PM - edited ‎03-09-2019 05:24 PM

i'm trying to change the ssh port on my cisco 850 (ios v12.4(4)T4)

i found the following instructions: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804831de.html#wp1020480

but the more i read on this, the more i think that is just talking about reverse ssh.

i want to change the port the router listens for ssh sessions on. is this possible? should i just forward an outside port to the internal ip address on port 22?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vsurillo
Level 1
Level 1

‎02-15-2007 02:05 AM

I have a Cisco 800 Series router running 12.3(7)T7 and have been successful in changing my SSH port using something similar to the information provided in the link that you referenced.

I don't recall where I found the config info, but here it is:

Router(config)# ip ssh port 2229 rotary 62

Router(config)# access-list 129 permit tcp x.x.x.x 0.0.0.x any eq 2229

Router(config)# line vty 0 4

Router(config-line)# access-class 129 in

The first line sets the SSH port to 2229 -- pick any port that doesn't conflict with something important

The rotary group is arbitrary and is NOT tied to a specific VTY line number

The access list prevents any other ports from accessing the router -- fill in the appropriate subnet and wildcard mask

That's all there is to it. I've tried several simultaneous sessions using the same port number without a problem.

The one thing to watch out for is AAA. If you follow the example shown in your link using the statement "login authentication default", you must enable AAA using "aaa new-model" and follow with a command specifying where the password(s) will be checked.

This could be "aaa authentication login default group tacacs+ local" if you're using a TACACS+ server with a fallback to the local database on the router, or something as simple as "aaa authentication login default local" to use the local database on the router.

Hope this helps!!

Please provide feedback so that I know whether or not this worked for you.

Thanks!

vrs

View solution in original post

0 Helpful
3 Replies 3

Go to solution
vsurillo
Level 1
Level 1

‎02-15-2007 02:05 AM

I have a Cisco 800 Series router running 12.3(7)T7 and have been successful in changing my SSH port using something similar to the information provided in the link that you referenced.

I don't recall where I found the config info, but here it is:

Router(config)# ip ssh port 2229 rotary 62

Router(config)# access-list 129 permit tcp x.x.x.x 0.0.0.x any eq 2229

Router(config)# line vty 0 4

Router(config-line)# access-class 129 in

The first line sets the SSH port to 2229 -- pick any port that doesn't conflict with something important

The rotary group is arbitrary and is NOT tied to a specific VTY line number

The access list prevents any other ports from accessing the router -- fill in the appropriate subnet and wildcard mask

That's all there is to it. I've tried several simultaneous sessions using the same port number without a problem.

The one thing to watch out for is AAA. If you follow the example shown in your link using the statement "login authentication default", you must enable AAA using "aaa new-model" and follow with a command specifying where the password(s) will be checked.

This could be "aaa authentication login default group tacacs+ local" if you're using a TACACS+ server with a fallback to the local database on the router, or something as simple as "aaa authentication login default local" to use the local database on the router.

Hope this helps!!

Please provide feedback so that I know whether or not this worked for you.

Thanks!

vrs

0 Helpful

Go to solution
donny
Level 1
Level 1
In response to vsurillo

‎02-15-2007 06:31 AM

that did it! thanks a bunch!

i was trying to issue the 'rotary 1' command from the example in 'line vty 0 4' and it would give this error: "X121 address and queued type can not be configured on the same rotary group" which had me all confused!

but now i get it, thanks again!

0 Helpful

Go to solution
vsurillo
Level 1
Level 1
In response to donny

‎02-15-2007 09:02 AM

Glad to be of help.

Thanks for the feedback -- it's good to know when something works.

vrs

0 Helpful
Customers Also Viewed These Support Documents