Copy IOS config across VPN via SCP
I am having an issue copying files via SCP over our VPN. I can do it locally from the same network, no problem. However if I want to backup remote site configs, the remote router isn't able to connect to my SCP server.
Local subnet: 192.168.1.0/24
Remote subnet: 192.168.0.0/24
Local SCP server: 192.168.1.149
Remote router: 192.168.0.254
If I ping the SCP server from the remote router, it cannot contact it unless I specify that it use the inside interface (F0/0.1), then it works. So I assume the copy command is trying to copy over the wrong interface, but I don't see that as an option to specify in the command. Is there maybe a route that I need to configure or something I can do to make this work?
Local subnet: 192.168.1.0/24
Remote subnet: 192.168.0.0/24
Local SCP server: 192.168.1.149
Remote router: 192.168.0.254
If I ping the SCP server from the remote router, it cannot contact it unless I specify that it use the inside interface (F0/0.1), then it works. So I assume the copy command is trying to copy over the wrong interface, but I don't see that as an option to specify in the command. Is there maybe a route that I need to configure or something I can do to make this work?
Ernie Beek
Well it would be easier if you were willing to post a sanitized config over here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I added the source interface command and now it connects but I get this error:
%Error writing scp://*****@192.168.1.149/
I do see it attempting to connect on the SCP server but it says "exit before auth: Exited normally" in the SCP server log. Any ideas for this? The SCP server is QuickSSHd on Android and authentication works fine for the local Cisco IOS equipment.
I'll post a sanitized config shortly.
%Error writing scp://*****@192.168.1.149/
I do see it attempting to connect on the SCP server but it says "exit before auth: Exited normally" in the SCP server log. Any ideas for this? The SCP server is QuickSSHd on Android and authentication works fine for the local Cisco IOS equipment.
I'll post a sanitized config shortly.
ASKER
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname O2345835
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
ip inspect name inspect-basic cuseeme
ip inspect name inspect-basic dns
ip inspect name inspect-basic ftp
ip inspect name inspect-basic h323
ip inspect name inspect-basic icmp
ip inspect name inspect-basic imap
ip inspect name inspect-basic pop3
ip inspect name inspect-basic netshow
ip inspect name inspect-basic rcmd
ip inspect name inspect-basic realaudio
ip inspect name inspect-basic rtsp
ip inspect name inspect-basic esmtp
ip inspect name inspect-basic sqlnet
ip inspect name inspect-basic streamworks
ip inspect name inspect-basic tftp
ip inspect name inspect-basic tcp
ip inspect name inspect-basic udp
ip inspect name inspect-basic vdolive
ip inspect name inspect-basic https
no ip bootp server
ip domain name <removed>
!
multilink bundle-name authenticated
!
!
!
!
!
username <removed>
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 11
encr aes
authentication pre-share
group 2
crypto isakmp key <removed>
!
crypto isakmp client configuration group <removed>
<removed>
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-MD5
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description VPN to <removed>
set peer <removed>
set transform-set esp-aes-sha
match address acl-vpn-<removed>
crypto map SDM_CMAP_1 <removed>
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
ip tcp synwait-time 10
ip ssh port <removed> rotary 1
ip ssh source-interface FastEthernet0/0.1
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0.1
description LAN (Office)
encapsulation dot1Q 1 native
ip address 192.168.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.11
description LAN (FactoryFloor)
encapsulation dot1Q 11
ip address 10.1.15.254 255.255.255.0
no cdp enable
!
interface FastEthernet0/1
description WAN
ip address <removed> 255.255.255.240
ip access-group acl-wan-in in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect inspect-basic out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.251.10 192.168.251.250
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <removed>
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat service list acl-ftp-<removed> ftp tcp port <removed>
ip nat inside source route-map rm-block-vpn-on-nat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 <removed> <removed> <removed> extendable
!
ip access-list extended acl-block-vpn
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
deny <removed>
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended acl-ftp-pasv
permit tcp any host 192.168.0.2 range 7200 7400
ip access-list extended acl-ftp-<removed>
permit ip host 192.168.0.2 any
ip access-list extended acl-vpn-<removed>
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.15.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended acl-wan-in
permit udp any host <removed> eq non500-isakmp
permit udp any host <removed> eq isakmp
permit esp any host <removed>
permit ahp any host <removed>
permit tcp any host <removed> eq <removed>
<removed>
deny ip any any log
!
logging 192.168.1.167
<removed>
no cdp run
!
!
!
route-map rm-block-vpn-on-nat permit 1
match ip address acl-block-vpn acl-ftp-pasv
!
!
!
control-plane
!
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
end
I'm not that familiar with IPSEC VPN's, but a protocol error might mean different settings. For your local router this is not an issue, as it does not go through the crypto map and can auto-negotiate something like SSH version. But it might be a problem for you remote side. But as I said, I might be way of track.
Also, see if it works if you send your password with the command: Use "copy run scp://<Username>:<Password
Also, see if it works if you send your password with the command: Use "copy run scp://<Username>:<Password
ASKER
That also fails, same error.
ASKER
This solves my original question, even though my original intent doesn't quite work.
SCP does work over the VPN using SCP commands in Linux now because of this. So I'm changing my intent to pull configurations rather than push them from the routers. I'll just script this or write a quick Android app to pull them from all of our equipment (50+ devices).
Thanks for the help!
SCP does work over the VPN using SCP commands in Linux now because of this. So I'm changing my intent to pull configurations rather than push them from the routers. I'll just script this or write a quick Android app to pull them from all of our equipment (50+ devices).
Thanks for the help!
If you want to initiate the SCP session from the Linux machine to the Router (irrespective of the direction the data travels), you're expecting the router to be an SCP Server. You can look at this web-site to see how to do it: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_copy.html
Perhaps you don't have to write that app...
Perhaps you don't have to write that app...