SSH to Cisco ISR 1111 failing - need ideas
I am trying to connect to the outside interface of a Cisco ISR 1100 with SSH. If I do a remote session with the user at the site - I can SSH to the ISR at the inside address. But if I try to ssh to the external interface of the ISR I don't even get a login prompt. There is no ACL on the outside address. There is an ACL on vty 0 4 but it includes the source address I'm coming from and I even removed that ACL to prove the point temporarily.
Any other suggestions with regards to getting ssh to work on the outside interface as well as the inside? Is there a good debug that could help?
I have ip http secure-server in the config.
line vty 0 4
access-class 5 in
exec-timeout 30 0
privilege level 15
authorization exec SECURE
logging synchronous
login authentication SECURE
length 0
transport preferred ssh
transport input ssh
line vty 5 15
access-class 5 in
exec-timeout 30 0
privilege level 15
authorization exec SECURE
logging synchronous
login authentication SECURE
length 0
transport input ssh
Any other suggestions with regards to getting ssh to work on the outside interface as well as the inside? Is there a good debug that could help?
I have ip http secure-server in the config.
line vty 0 4
access-class 5 in
exec-timeout 30 0
privilege level 15
authorization exec SECURE
logging synchronous
login authentication SECURE
length 0
transport preferred ssh
transport input ssh
line vty 5 15
access-class 5 in
exec-timeout 30 0
privilege level 15
authorization exec SECURE
logging synchronous
login authentication SECURE
length 0
transport input ssh
Last Comment
you'll probably have to define a domain name
ip domain-name corp.local or something similar to that, doesn't have to be real
also, a hostname for the router
ip domain-name corp.local or something similar to that, doesn't have to be real
also, a hostname for the router
ASKER
Great thoughts there - I have verified ip domain name xxxx and hostname. ip ssh version 2 is there as well.
I tried the crypto key gen rsa mod 1024 earlier today. But perhaps I should try it again. Also the DMVPN is failing as well.
I tried the crypto key gen rsa mod 1024 earlier today. But perhaps I should try it again. Also the DMVPN is failing as well.
is there a key on the ISR now?
blowing that key away might affect your DMVPN and unfortunately, I'm not a security guy :(
blowing that key away might affect your DMVPN and unfortunately, I'm not a security guy :(
ASKER
The DMVPN is hosed anyway. I think what I need to do is
ZEROIZE
GENERATE
Pull a new certificate for DMVPN
But I only have access if through the guy at the spoke site's laptop and he's on the east coast.
I still can't figure what could be blocking be from the outside interface versus the inside. Private IP to inside private IP SSH OK.
Public IP to public IP on spoke router SSH NOT OK. I'm glad I have some kind of access without a console cable. It's just puzzling.
A couple of other tidbits. Zenmap shows 22 and 443 ports open on the router from my source. Also the ACL 5 permitting the SSH from my source public IP increments when I try to hit the router for SSH access. So port 22 is open from the outside, the ACL sees my connection attempt but then something is fubarring when the connection is attempted. So regen seems like the best bet.
ZEROIZE
GENERATE
Pull a new certificate for DMVPN
But I only have access if through the guy at the spoke site's laptop and he's on the east coast.
I still can't figure what could be blocking be from the outside interface versus the inside. Private IP to inside private IP SSH OK.
Public IP to public IP on spoke router SSH NOT OK. I'm glad I have some kind of access without a console cable. It's just puzzling.
A couple of other tidbits. Zenmap shows 22 and 443 ports open on the router from my source. Also the ACL 5 permitting the SSH from my source public IP increments when I try to hit the router for SSH access. So port 22 is open from the outside, the ACL sees my connection attempt but then something is fubarring when the connection is attempted. So regen seems like the best bet.
are you using 443 for secure server? I never do http or https server...
I agree, sounds like zero is a good option, just don't break your only access.
I agree, sounds like zero is a good option, just don't break your only access.
ASKER
Two ways to go:
enabling 'ip http secure-server' automatically generates the RSA key that is also required by SSH:
R4(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
R4(config)#
*Nov 29 19:01:22.986: %SSH-5-ENABLED: SSH 1.99 has been enabled
The RSA key can also be generated by issuing the command:
crypto key generate rsa general-keys modulus 1024 (or 2048)
without enabling 'ip http secure-server'.
https://community.cisco.com/t5/switching/may-i-disable-quot-ip-http-secure-server-quot-if-i-have-ssh/td-p/3224506
enabling 'ip http secure-server' automatically generates the RSA key that is also required by SSH:
R4(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
R4(config)#
*Nov 29 19:01:22.986: %SSH-5-ENABLED: SSH 1.99 has been enabled
The RSA key can also be generated by issuing the command:
crypto key generate rsa general-keys modulus 1024 (or 2048)
without enabling 'ip http secure-server'.
https://community.cisco.com/t5/switching/may-i-disable-quot-ip-http-secure-server-quot-if-i-have-ssh/td-p/3224506
ASKER
I noticed this line in there "login block-for 120 attempts 3 within 60" - I wonder if someone or some device could be trying over and over to connect and that's hosing me from connecting. I could remove that or I see there's a way to exclude my good source IPs from having that policy applied to it.
The predefined ACL that is excluded from the quiet period can be specified via the new global configuration mode command login quiet-mode access-class.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-login-enhance.html
The predefined ACL that is excluded from the quiet period can be specified via the new global configuration mode command login quiet-mode access-class.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-login-enhance.html
For security, you should not let your switches have open ports on the internet. It's far better to have an internal jump server, maybe a VPN, and use that to access your switches.
ASKER
Thanks serialb. Well ssh is limited to the source IPs of our two data centers' address blocks and our internal IPs. These are small spoke site branch offices. Anyhow at this time I'm trying to get access to the device so I can get their DMVPN working without bothering the sales people by taking over their PCs.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
crypto key gen rsa mod 1024