Solved

Copy IOS config across VPN via SCP

Posted on 2011-03-15
8
1,195 Views
Last Modified: 2012-08-13
I am having an issue copying files via SCP over our VPN. I can do it locally from the same network, no problem. However if I want to backup remote site configs, the remote router isn't able to connect to my SCP server.

Local subnet: 192.168.1.0/24
Remote subnet: 192.168.0.0/24

Local SCP server: 192.168.1.149
Remote router: 192.168.0.254

If I ping the SCP server from the remote router, it cannot contact it unless I specify that it use the inside interface (F0/0.1), then it works. So I assume the copy command is trying to copy over the wrong interface, but I don't see that as an option to specify in the command. Is there maybe a route that I need to configure or something I can do to make this work?
0
Comment
Question by:_valkyrie_
  • 4
  • 3
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35139140
Well it would be easier if you were willing to post a sanitized config over here.
0
 
LVL 14

Accepted Solution

by:
Otto_N earned 500 total points
ID: 35139143
Concigure "ip ssh source-interface Fa0/0.1", as this will ensure that the ssh session is established from this interface, which can reach your server.
0
 
LVL 2

Author Comment

by:_valkyrie_
ID: 35139301
I added the source interface command and now it connects but I get this error:

%Error writing scp://*****@192.168.1.149//sdcard/scp/Cisco/configs/O2345835-confg-2011-03-15-1 (Protocol error)

I do see it attempting to connect on the SCP server but it says "exit before auth: Exited normally" in the SCP server log. Any ideas for this? The SCP server is QuickSSHd on Android and authentication works fine for the local Cisco IOS equipment.

I'll post a sanitized config shortly.
0
 
LVL 2

Author Comment

by:_valkyrie_
ID: 35139375
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname O2345835
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
ip inspect name inspect-basic cuseeme
ip inspect name inspect-basic dns
ip inspect name inspect-basic ftp
ip inspect name inspect-basic h323
ip inspect name inspect-basic icmp
ip inspect name inspect-basic imap
ip inspect name inspect-basic pop3
ip inspect name inspect-basic netshow
ip inspect name inspect-basic rcmd
ip inspect name inspect-basic realaudio
ip inspect name inspect-basic rtsp
ip inspect name inspect-basic esmtp
ip inspect name inspect-basic sqlnet
ip inspect name inspect-basic streamworks
ip inspect name inspect-basic tftp
ip inspect name inspect-basic tcp
ip inspect name inspect-basic udp
ip inspect name inspect-basic vdolive
ip inspect name inspect-basic https
no ip bootp server
ip domain name <removed>
!
multilink bundle-name authenticated
!
!
!
!
!
username <removed>

archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2  
!
crypto isakmp policy 11
 encr aes
 authentication pre-share
 group 2
crypto isakmp key <removed>
!
crypto isakmp client configuration group <removed>
 <removed>
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac 
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 3600
 set transform-set ESP-3DES-MD5 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description VPN to <removed>
 set peer <removed>
 set transform-set esp-aes-sha 
 match address acl-vpn-<removed>
crypto map SDM_CMAP_1 <removed>
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!         
!
!
ip tcp synwait-time 10
ip ssh port <removed> rotary 1
ip ssh source-interface FastEthernet0/0.1
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description LAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0.1
 description LAN (Office)
 encapsulation dot1Q 1 native
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/0.11
 description LAN (FactoryFloor)
 encapsulation dot1Q 11
 ip address 10.1.15.254 255.255.255.0
 no cdp enable
!
interface FastEthernet0/1
 description WAN
 ip address <removed> 255.255.255.240
 ip access-group acl-wan-in in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip inspect inspect-basic out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.251.10 192.168.251.250
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <removed>
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat service list acl-ftp-<removed> ftp tcp port <removed>
ip nat inside source route-map rm-block-vpn-on-nat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 <removed> <removed> <removed> extendable
!
ip access-list extended acl-block-vpn
 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   <removed>
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended acl-ftp-pasv
 permit tcp any host 192.168.0.2 range 7200 7400
ip access-list extended acl-ftp-<removed>
 permit ip host 192.168.0.2 any
ip access-list extended acl-vpn-<removed>
 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 10.1.15.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended acl-wan-in
 permit udp any host <removed> eq non500-isakmp
 permit udp any host <removed> eq isakmp
 permit esp any host <removed>
 permit ahp any host <removed>
 permit tcp any host <removed> eq <removed>
<removed>
 deny   ip any any log
!         
logging 192.168.1.167
<removed>
no cdp run
          
!
!
!
route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn acl-ftp-pasv
!
!
!
control-plane
!
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 rotary 1
 transport input ssh
!         
scheduler allocate 20000 1000
end

Open in new window

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 14

Expert Comment

by:Otto_N
ID: 35139719
I'm not that familiar with IPSEC VPN's, but a protocol error might mean different settings.  For your local router this is not an issue, as it does not go through the crypto map and can auto-negotiate something like SSH version.  But it might be a problem for you remote side.  But as I said, I might be way of track.

Also, see if it works if you send your password with the command: Use "copy run scp://<Username>:<Password>@<Host>/<Path>".
0
 
LVL 2

Author Comment

by:_valkyrie_
ID: 35139800
That also fails, same error.
0
 
LVL 2

Author Closing Comment

by:_valkyrie_
ID: 35140092
This solves my original question, even though my original intent doesn't quite work.

SCP does work over the VPN using SCP commands in Linux now because of this. So I'm changing my intent to pull configurations rather than push them from the routers. I'll just script this or write a quick Android app to pull them from all of our equipment (50+ devices).

Thanks for the help!
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 35165120
If you want to initiate the SCP session from the Linux machine to the Router (irrespective of the direction the data travels), you're expecting the router to be an SCP Server.  You can look at this web-site to see how to do it: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_copy.html

Perhaps you don't have to write that app...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now