Link to home
Create AccountLog in
Avatar of amigan_99
amigan_99Flag for United States of America

asked on

SSH to Cisco ISR 1111 failing - need ideas

I am trying to connect to the outside interface of a Cisco ISR 1100 with SSH. If I do a remote session with the user at the site - I can SSH to the ISR at the inside address. But if I try to ssh to the external interface of the ISR I don't even get a login prompt. There is no ACL on the outside address. There is an ACL on vty 0 4 but it includes the source address I'm coming from and I even removed that ACL to prove the point temporarily.

Any other suggestions with regards to getting ssh to work on the outside interface as well as the inside? Is there a good debug that could help?

I have ip http secure-server in the config.

line vty 0 4
 access-class 5 in
 exec-timeout 30 0
 privilege level 15
 authorization exec SECURE
 logging synchronous
 login authentication SECURE
 length 0
 transport preferred ssh
 transport input ssh
line vty 5 15
 access-class 5 in
 exec-timeout 30 0
 privilege level 15
 authorization exec SECURE
 logging synchronous
 login authentication SECURE
 length 0
 transport input ssh
Avatar of Timothy Estes
Timothy Estes
Flag of United States of America image

ip ssh version 2
crypto key gen rsa mod 1024
you'll probably have to define a domain name
ip domain-name corp.local or something similar to that, doesn't have to be real
also, a hostname for the router
Avatar of amigan_99

ASKER

Great thoughts there - I have verified ip domain name xxxx and hostname. ip ssh version 2 is there as well.

I tried the crypto key gen rsa mod 1024 earlier today. But perhaps I should try it again. Also the DMVPN is failing as well.
is there a key on the ISR now?
blowing that key away might affect your DMVPN and unfortunately, I'm not a security guy :(
The DMVPN is hosed anyway. I think what I need to do is

ZEROIZE
GENERATE
Pull a new certificate for DMVPN

But I only have access if through the guy at the spoke site's laptop and he's on the east coast.

I still can't figure what could be blocking be from the outside interface versus the inside. Private IP to inside private IP SSH OK.
Public IP to public IP on spoke router SSH NOT OK. I'm glad I have some kind of access without a console cable. It's just puzzling.

A couple of other tidbits. Zenmap shows 22 and 443 ports open on the router from my source. Also the ACL 5 permitting the SSH from my source public IP increments when I try to hit the router for SSH access. So port 22 is open from the outside, the ACL sees my connection attempt but then something is fubarring when the connection is attempted. So regen seems like the best bet. 
are you using 443 for secure server? I never do http or https server...

I agree, sounds like zero is a good option, just don't break your only access.
Two ways to go:

 enabling 'ip http secure-server' automatically generates the RSA key that is also required by SSH:
 
R4(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
R4(config)#
*Nov 29 19:01:22.986: %SSH-5-ENABLED: SSH 1.99 has been enabled
 
The RSA key can also be generated by issuing the command:
 
crypto key generate rsa general-keys modulus 1024 (or 2048)
 
without enabling 'ip http secure-server'.

https://community.cisco.com/t5/switching/may-i-disable-quot-ip-http-secure-server-quot-if-i-have-ssh/td-p/3224506 
I noticed this line in there "login block-for 120 attempts 3 within 60" - I wonder if someone or some device could be trying over and over to connect and that's hosing me from connecting. I could remove that or I see there's a way to exclude my good source IPs from having that policy applied to it.

The predefined ACL that is excluded from the quiet period can be specified via the new global configuration mode command login quiet-mode access-class.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-login-enhance.html 
For security, you should not let your switches have open ports on the internet.  It's far better to have an internal jump server, maybe a VPN, and use that to access your switches.
Thanks serialb. Well ssh is limited to the source IPs of our two data centers' address blocks and our internal IPs. These are small spoke site branch offices. Anyhow at this time I'm trying to get access to the device so I can get their DMVPN working without bothering the sales people by taking over their PCs. 
ASKER CERTIFIED SOLUTION
Avatar of amigan_99
amigan_99
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer