Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH and telnet port open

hello I have a question know there sometimes someone how you the port of SSH and telnet putting on Cisco 800 series

who can help me please

22 REPLIES
Hall of Fame Super Gold

Re: SSH and telnet postages open

Postages ???


Use english, or you will not be understood.

New Member

Re: SSH and telnet porting open

postages > poort

Hall of Fame Super Gold

Re: SSH and telnet porting open

That's not english either.

New Member

Re: SSH and telnet porting open

poort > port

Hall of Fame Super Gold

Re: SSH and telnet porting open

And your question/problem is what exactly ?

New Member

Re: SSH and telnet porting open

The problem is how can you open the port for ssh and telnet resident ?

Hall of Fame Super Gold

Re: SSH and telnet porting open

What are you trying to do? "open port" does not mean anything.

New Member

Re: SSH and telnet porting open

open port for ssh and telnet ?

Hall of Fame Super Gold

Re: SSH and telnet porting open

I gave up, it is impossible to understand what you want.

New Member

Re: SSH and telnet porting open

sorry that you can understand me not well but I am simply of Belgium I want the port for telnet and open SSH on the router

sorry

Cisco Employee

Re: SSH and telnet porting open

If you are trying to CONNECT to a router using SSH or Telnet, you want to use the "transport input" command to indicate what protocols may be used to connect to the router.  Example:

line vty 0 5  !(or whatever range you like)

transport input telnet

transport input ssh

telnet uses TCP port 23, SSH uses TCP port 22, so if you use access-lists you need to open the ports.

You need to enable some form of login credential checking, or connections will not be allowed.

SSH config notes:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Tips on Telnet Configuration:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_example09186a0080202614.shtml

New Member

Re: SSH and telnet porting open

how can you set up access-list for telnet and SSH?

Cisco Employee

Re: SSH and telnet porting open

There are two options:

1) If you want to RESTRICT PACKETS at the router, you can use access-list + access-group on the interfaces.

2) If you want to RESTRICT CONNECTIONS you can use access-list and access-class on the vtys

If you are just trying to limit which IP addresses are allowed to connect, (2) is the best practice.  If you have greater paranoia and don't even want to see connection attempts reach the OS from disallowed IP addresses, (1) is the way to go, but is not the best practice.

You may want to read http://articles.techrepublic.com.com/5100-10878_11-1052538.html.

When you use the access-class command, it applies to all incoming transports, incluidng SSH and telnet.

New Member

Re: SSH and telnet porting open

that has already done but if I want remote I inlogen on Cisco get I the report time out

Cisco Employee

Re: SSH and telnet porting open

Maybe you want to share the relvenant portions of your configuration?  It sounds like you are saying you have set up something (what?) and now cannot connect with SSH or telnet. Can you connect if there are no restrictions set up at all?

You may want to post a detailed description in French or Dutch (Flemish?) and see if we can us Google Translate or Babel Fish to understand the detail.

New Member

Re: SSH and telnet porting open

ja dat is goed dit is mijn running-config

kun je iets laten weten als er iets fout is aub ?

al vast bedankt

Cisco Employee

Re: SSH and telnet porting open

So, the goal is to connect to the router using the SSH protocol, right?

1) Can you connect with SSH at all?

2) Are you trying to connect on the LAN side or the WAN side?

3) What happens when you try to connect?

4) What do you want to happen?

New Member

Re: SSH and telnet porting open

1) ja ssh lukt

2) ik probeer ssh vanaf WAN side

3) wil remote kunnen inlogen op router zowel ssh als telnet

4) ik wil op de router werken vanaf een ander netwerk

Cisco Employee

Re: SSH and telnet porting open

OK, got it.  You want to ALLOW remote conenction from SSH and/or telnet.

Right now, your configuration is using NAT and zone-based firewall (ZBFW).

Are you using SDM or CCP to configure the device?

The configuration seems correct, but I am not a ZBFW expert.

Looking at https://supportforums.cisco.com/thread/2012714, it seems like you may need to allow SSH and telnet in the "source self destination out-zone" path:

zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit

Your self to out path doesn't allow SSH and telnet.

policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
  pass
class type inspect ccp-icmp-access
  inspect
class class-default
  pass

WARNING:  this is just a guess.  Ask over in the Firewall group.

New Member

Re: SSH and telnet porting open

ik gebruikt CCP

Cisco Employee

Re: SSH and telnet porting open

I don't use CCP, but look at try asking in the firewalls forum.  It seems to be a firewall issue.

New Member

Re: SSH and telnet porting open

ik gebruik cli soms ccp

omdat in cli meer kunt doen

3415
Views
0
Helpful
22
Replies