• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 749
  • Last Modified:

Cisco 877 Logon Issues

I have a Cisco 877 which has been running on site for about 12 Months, I have tried logging in on a few occasions via HTTP,HTTPS, SSH, Telnet all have no luck. I have plugged in the cable into the Console and connected via terminal session. I cannot Logon.
it just gives me yourname# ?
unsure what is causing this need help? i have to make some changes.

Big_Daddy
0
big_daddy_pimp
Asked:
big_daddy_pimp
  • 7
  • 5
  • 2
2 Solutions
 
GJHopkinsCommented:
The hash prompt would indicate you are connected via the console, what happens if you type any commands at this prompt - for example show run ?
0
 
GJHopkinsCommented:
Changed my mind, looks like you have the bug described here

http://www.cisco.com/en/US/ts/fn/620/fn62758.html

you will need to run a password recovery procedure which is detailed in the above link
0
 
Justin EllenbeckerIT DirectorCommented:
Normally the # means enabled or privileged mode you will get this whether you telnet or are connected via console.  Like on my router its routername> until you enter enable then it becomes routername#  As hopkins mentioned try a show run which is privileged command it may error.  If it does try a show ver that should work or even a show clock you should always be able to do a show clock.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
big_daddy_pimpAuthor Commented:
It brings up at the Console Login  yourname>
enable    brigs up yourname#
show clock works it Displays the clock but the date and time are incorrect unless we are still in 2002
show ver works
show run works
How do i log in, I have tried password recovery and hasn't made any difference.

Not sure what to do from here..

Big_Daddy

0
 
GJHopkinsCommented:
if show run works you are already logged in with privileges. If you cannot login remotely it is either because you haven't set the vty lines to login or the original access list that is on all ISR routers by default is still in place.

try a

router#sh run | b line vty

if there is an access class remove it,

access-class 23 is the default I recall

 you can set login local and add a username and password thus


line vty 0 4
 login local
 transport input telnet ( or ssh if you prefer)

username fred password flintstone

       


0
 
Justin EllenbeckerIT DirectorCommented:
Also if you can post the show run we can look over it and make sure there are no ACLs blocking it if you are unfamiliar with IOS.
0
 
big_daddy_pimpAuthor Commented:
Hi Guys..  Hope this is enough..

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
 --More--         aaa session-id common
clock timezone Brisban 10
!
crypto pki trustpoint TP-self-signed-2265340100
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2265340100
 revocation-check none
 rsakeypair TP-self-signed-2265340100
!
!
crypto pki certificate chain TP-self-signed-2265340100
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323635 33343031 3030301E 170D3032 30333031 30353237
  31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32363533
  34303130 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AF1C 00079F9D 05E15D84 A2153E21 AB00C054 413EAEE5 3C828268 2214DAA2
  FCD223DA 4C6F27B3 C885B87C 6106E4DB 23F2E87A 8CF9412D 0C66B961 B6A82D9A
  E7DF97A3 B96A76DF D8D321A2 2643FFFF 193DAA4B CF788269 1C5B0413 455A1855
  6950143F D770B8D5 FF65934E BB613C18 EAEBCA4C 60F55797 6BC2D1A4 05CD9248
  F5530203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
 --More--           551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14DE9CE7 D7C7E621 E13B98CF DC7DCAD2 C4F92A21
  AB301D06 03551D0E 04160414 DE9CE7D7 C7E621E1 3B98CFDC 7DCAD2C4 F92A21AB
  300D0609 2A864886 F70D0101 04050003 81810063 AF55832C 0FE0B6E8 E8E3A528
  4F671994 56A932AD 9F6440F5 79BFE04C CE79EF15 5E8A9DA4 1206A144 C615F54E
  F3526F85 ABD24F63 79A2A65D C03FB509 8B69CEFF AFE885CE A20C0CB7 4B45B836
  0F17FE85 0BF32342 8A4EBF02 AFC97207 C3AE15B8 884544C0 37965BF7 5BFC3393
  88AC0E84 3D9B9763 8E0D612A F4596043 14FF45
        quit
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.1 192.168.0.5
ip dhcp excluded-address 192.168.0.21 192.168.0.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 203.12.160.35
   lease 3 2
 --More--         !
!
no ip domain lookup
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username brett privilege 15 secret 5 $1$uKWj$M0hRrhAgP5rFkccxrI.UM1
username vpnuser password 0 password
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password123456789 address 60.242.11.224 no-xauth
crypto isakmp keepalive 10
!
crypto isakmp client configuration group VPNCLIENT
 --More--          key cisco123
 --More--          pool ippool
 acl 110
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set ESP-3DES-SHA
!
!
crypto map SDM_CMAP_1 client authentication list userauthen
crypto map SDM_CMAP_1 isakmp authorization list groupauthor
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to60.242.11.224
 set peer 60.242.11.224
 set transform-set ESP-3DES-SHA
 match address 100
crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
 --More--         !
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 105
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 --More--          match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_VPN_PT
 match protocol isakmp
 match protocol ipsec-msft
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
 --More--         class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 103
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 102
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 --More--          class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class type inspect SDM_VPN_PT
  pass
 class type inspect sdm-access
 --More--           inspect
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
 --More--         interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 106 in
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 --More--          description $FW_OUTSIDE$
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname adsl
 ppp chap password 0 ####
 ppp pap sent-username adsl password 0 ####
 crypto map SDM_CMAP_1
!
ip local pool ippool 172.168.10.1 172.168.10.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
 --More--         ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
 --More--         access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.8
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.7
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.7
access-list 101 deny   ip 192.168.0.0 0.0.0.255 172.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host 60.242.11.224 any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.0 0.0.0.7 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
 --More--         access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp host 192.168.0.8 host 192.168.0.1 eq telnet
access-list 106 permit tcp host 203.167.75.41 host 192.168.0.1 eq telnet
access-list 106 permit tcp host 192.168.0.8 host 192.168.0.1 eq 22
access-list 106 permit tcp host 203.45.9.210 host 192.168.0.1 eq 22
access-list 106 permit tcp host 210.185.120.18 host 192.168.0.1 eq 22
access-list 106 permit tcp host 192.168.0.8 host 192.168.0.1 eq www
access-list 106 permit tcp host 192.168.0.8 host 192.168.0.1 eq 443
access-list 106 permit tcp host 192.168.0.8 host 192.168.0.1 eq cmd
access-list 106 deny   tcp any host 192.168.0.1 eq telnet
access-list 106 deny   tcp any host 192.168.0.1 eq 22
access-list 106 deny   tcp any host 192.168.0.1 eq www
access-list 106 deny   tcp any host 192.168.0.1 eq 443
access-list 106 deny   tcp any host 192.168.0.1 eq cmd
access-list 106 deny   udp any host 192.168.0.1 eq snmp
access-list 106 permit ip any any
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip host 192.168.0.8 any
access-list 107 permit ip host 203.167.75.41 any
access-list 107 permit ip host 203.45.9.210 any
access-list 107 permit ip host 210.185.120.18 any
 --More--         access-list 110 permit ip 192.168.0.0 0.0.0.255 172.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
 --More--         
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 107 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end
 --More--         
yourname#
0
 
GJHopkinsCommented:
line vty 0 4
 access-class 107 in
 privilege level 15
 transport input telnet ssh

this is limiting your access to
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip host 192.168.0.8 any
access-list 107 permit ip host 203.167.75.41 any
access-list 107 permit ip host 203.45.9.210 any
access-list 107 permit ip host 210.185.120.18 any

to remove this

line vty 0 4
no access-class 107 in


but you ought to add some security

line vty 0 4
login local

and then use

username brett privilege 15 secret XXXXXXXXXXXXXX


or any other users you wish to add. Ideally replace access list 107 with the range off addresses you want to allow access from.

0
 
big_daddy_pimpAuthor Commented:
HI GJ,

Im not vey good with the CLI  I manged to get most of it working VIA the SDM last time I used it.
can you step me through the commands, which commands I have to enter to get where i am suppose to be to make the changes.
cheers

BIg_daddy
0
 
GJHopkinsCommented:
conf t
line vty 0 4
  no access-class 107 in
 privilege level 15
 transport input telnet ss
conf t
line vty 0 4
no access-class 107 in
login local
end

if you need to change the access lists just ask
wr

0
 
GJHopkinsCommented:
Sorry bad pasting

conf t
line vty 0 4
no access-class 107 in
login local
end
wr
0
 
big_daddy_pimpAuthor Commented:


when I type in login local   it gives me invalid Input  detected..?

not sure why

Big_Daddy
0
 
GJHopkinsCommented:
yes sorry didn't notice that you had aaa authentication active with the lines

aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!

so the command you need is


conf t
line vty  0 4
login authentication userathen
end
wr




0
 
big_daddy_pimpAuthor Commented:
stii not resolved, have workaround for time being,, nothing AI tried resolved the issue
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now