SSH Cisco's router to another Cisco router

I think I already know what the issue is, but wanted to confirm.

I recently changed the configuration of routers so that all incoming SSH connections is possible only via the specified port:

IP port ssh xxxx Rotary 10

created an ACL and everything works perfectly with PuTTY.  When I try to SSH to a router to another router it is sitting there and the ACL permits the connection, but nothing happens.

I use ssh Pei xxxx NAME.

I guess it's because the cert not recognized by the router connection?

Yes I did.  I tried ssh -l username -p xxxx ipaddress

Hello

What is the model name and the ios version

Ganesh.H

Tags: Cisco Security

Similar Questions

  • Problems with SSH Cisco 871W

    Hi, I started training for my certification and now have any posible explanation how to configure ssh to a cisco 871w router, and there is no way I can connect. I used TeraTerm Version 3.13 and 4.69 and he keeps asking me the password that I entered correct.

    It's really frustrating because everywhere wherever I look for answers I noticed it should be something simple to do and it does still work for me.

    In any case, this is my config runing if anyone can give me a hand I would really appreciate it

    Current configuration: 1317 bytes

    !

    version 12.4

    service configuration

    no service button

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    hostname labrouter

    !

    boot-start-marker

    boot-end-marker

    !

    enable secret 5 AnLl $1$$ H5XfrfdN5L6bogmtdGW.Y1

    !

    No aaa new-model

    !

    !

    dot11 syslog

    IP cef

    !

    !

    property intellectual auth-proxy max-nodata-& 3

    property intellectual admission max-nodata-& 3

    House.com IP domain name

    !

    !

    !

    username tripi22 password 0 ld30dzy7

    !

    !

    Archives

    The config log

    hidekeys

    !

    !

    property intellectual ssh version 2

    !

    !

    !

    interface FastEthernet0

    !

    interface FastEthernet1

    !

    interface FastEthernet2

    !

    interface FastEthernet3

    !

    interface FastEthernet4

    DHCP IP address

    automatic duplex

    automatic speed

    !

    interface Dot11Radio0

    no ip address

    Shutdown

    Base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0

    54.0

    root of station-role

    !

    interface Vlan1

    IP 192.168.1.1 255.255.255.0

    !

    IP forward-Protocol ND

    !

    no ip address of the http server

    no ip http secure server

    !

    !

    !

    !

    control plan

    !

    Banner motd ^ C

    ******************************************************************************

    NO JODER

    ******************************************************************************^C

    !

    Line con 0

    password 123

    opening of session

    no activation of the modem

    line to 0

    line vty 0 4

    password 123

    opening of session

    transport input telnet ssh

    !

    max-task-time 5000 Planner

    end

    Current configuration: 1317 bytes

    !

    version 12.4

    service configuration

    no service button

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    hostname labrouter

    !

    boot-start-marker

    boot-end-marker

    !

    enable secret 5 AnLl $1$$ H5XfrfdN5L6bogmtdGW.Y1

    !

    No aaa new-model

    !

    !

    dot11 syslog

    IP cef

    !

    !

    property intellectual auth-proxy max-nodata-& 3

    property intellectual admission max-nodata-& 3

    House.com IP domain name

    !

    !

    !

    username tripi22 password 0 ld30dzy7

    !

    !

    Archives

    The config log

    hidekeys

    !

    !

    property intellectual ssh version 2

    !

    !

    !

    interface FastEthernet0

    !

    interface FastEthernet1

    !

    interface FastEthernet2

    !

    interface FastEthernet3

    !

    interface FastEthernet4

    DHCP IP address

    automatic duplex

    automatic speed

    !

    interface Dot11Radio0

    no ip address

    Shutdown

    Base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0

    54.0

    root of station-role

    !

    interface Vlan1

    IP 192.168.1.1 255.255.255.0

    !

    IP forward-Protocol ND

    !

    no ip address of the http server

    no ip http secure server

    !

    !

    !

    !

    control plan

    !

    Banner motd ^ C

    ******************************************************************************

    NO JODER

    ******************************************************************************^C

    !

    Line con 0

    password 123

    opening of session

    no activation of the modem

    line to 0

    line vty 0 4

    password 123

    opening of session

    transport input telnet ssh

    !

    max-task-time 5000 Planner

    end

    Hello

    Can you try to change the "connect" command to "local connection" under the vty lines?

    Thank you

    Wen

  • Unable to SSH cisco CSM server

    Unable to SSH to the server of cisco CSM

    Hello world

    Trying to SSH new server Cisco CSM.

    ACL is which allows ssh I see suddenly increment account, but when I try to ssh it gives connection refused error.

    I have to open the port on csm ssh server?

    If so can someone please let me know hot to do?

    Concerning

    MAhesh

    As mentioned in the forum of firewall...

    The CSM itself server doesn't have ssh daemon top to meet these demands, unless you added some other 3rd party software. It's just a Windows Server that runs an application (CSM).

    CSM uses https for the client software (Java applications) to communicate with her.

  • NPS Windows Help for authentication of aaa for Cisco router - is it safe?

    I am very confused about how all this works and was hoping someone could help me.

    I followed a bunch of tutorials online for authentication RADIUS of installation on a Cisco router and he did to a NPS Windows Server. Now I can ssh into the router my AD account.

    Now that I got it to work, I go to the settings to make sure everything is secure.

    On my router, the config is pretty simple:

    aaa new-modelaaa group server radius WINDOWS_NPSserver-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykeyaaa authentication login default local group WINDOWS_NPS

ip domain-name MyDomcrypto key generate rsa

(under vty and console)# login authentication default
    On the NPS Windows:
    • I created a new RADIUS client for the router.
      • 

    • Created a secret shared and specified Cisco as the name of the seller.
      • 

    • Created a new strategy of network with my desired conditions.
      • 

    • And now the frame of the configuration of the network policy that worries me:
    

    

So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:


    


    
How is my password being encrypted and how strong is the encryption?

Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.
 

    			 
    Hello
    

    RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.
    

    You can find the encryption used by RADIUS in the RFC scheme:
    

    https://Tools.ietf.org/html/rfc2865#page-27
    

    MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch
    

    Thank you
    

    John

  • Setting up SSH on a 3845 router?

    Hello everyone!

    Just curious, how you set up SSH on a router cisco 3845? Specifically, how to generate RSA keys?

    It seems to be missing the subcommand "generate" to crypto. When I type the encryption key the only sub-commands are lock and unlock. I am familiar with this and do not want to disturb too much as it is a production company.

    I'm under c3845-spservicesk9 - mz.124 - 11.T2.bin so I should have the possibility, Yes? Any guidance would be appreciated. I really prefer is not to use telnet.

    you have k9 image, it should support crypto commands, are you sure you were in the configuration mode?

    try again.., here is a link to configure ssh in IOS.

    http://www.Cisco.com/en/us/Tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

    way to do this is to open telnet sessions to the router, in one sitting, be in the activation mode and the leash the open session. On the other telnet session works with the SSH configuration application. When you are done does not save the config, leave the session and open a new session using ssh to ensure that you can connect and the connection to the router via ssh... If for any reason fails, you still have the other open telnet session to cancel the ssh change or correct them.

    also to ensure that telnet sessions do not timeout so that work with configs allow you more time by entering exec-time 60<-- one="" hour="" for="" your="" vty="">

    line vty 0 4

    exec-timeout 60

    You can also do full ssh implementation via the console port as well.

    Concerning

    All helpful PLS rate messages if this can help

  • Configure SSH on Cisco uBR7246VXR? Help, please

    I have a file void startup-config on my ubr7. I need activate shh so that I can ssh to the uBR without being physically next to him. IM tells me I should activate RADIUS? Does anyone have an idea how I can do this?

    I have never used/configured this particular type of material, but if it runs Cisco IOS, then you can follow this:

    http://www.TheGeekStuff.com/2013/08/enable-SSH-Cisco/

    Check it out and let me know if you have any questions

    Thank you for evaluating useful messages!

  • VPN on 2800 router does not

    Hello

    I have configured the VPN access on a 2800 router, but it doesn't respond when I try to connect by using a client from cisco. I can access the router via SSH, so the router is working. Can someone tell me what I missed?

    Anthony

    Hi Anthony,.

    Go ahead and add this line in your config file and try again:

    AAA authorization groupauthor LAN

    I would like to know how it works.

  • Not able to configure SSH

    Hello

    I use a router in 1841. My question is that I'm not able to configure SSH into the router, problem of any IOS?

    SH version

    Software Cisco IOS, 1841 Software (C1841-IPBASE-M), Version 12.4 (1 c), FREEING

    FTWARE (fc1)

    Hi knani

    You are running IP BASE set function ios on your router, you need to update the same for Advanced Security Services or feature of the Services SP logs for SSH support in your router...

    http://www.Cisco.com/en/us/products/SW/iosswrel/ps5460/index.html

    regds

  • remembering ssh passphrases

    Before moving on to the Sierra, the first time I ran a ssh command every day, he would ask for my password and store the key, making it usable by any other ssh process, no matter where I am connected, thanks to the "forwarding agent. That's what I'm used to and is identical to the way things work on my other computer (which runs on Linux).

    After upgrade to Sierra, passphrases my SSH keys are somehow being 'remembers', but no ssh-agent. I am able to ssh from my laptop directly in one of the servers that I managed, without being asked a password, but because the agent does contain all the keys (i.e. "ssh - add - l" returns "the agent has no identity."), I'm not able to ssh from this server to another server, which also makes the 'scp' and 'git' commands do not work until I go back to the laptop itself and run "ssh - add.

    I tried to use "Keychain Access" to find and remove the element containing the password, but no items in any of my files of trousseau (connection, iCloud, System or root system) contain 'ssh' anywhere in their title. I also tried 'ssh - add - d K' and 'ssh - add - d /Users/xxx/.ssh/id_rsa K. Neither the command seems to have no effect, they are not compensation everywhere where passwords are stored.

    The output of "ssh - vvv" Server1 contains the following items:

    debug1: next authentication method: public key

    debug1: offering public key RSA: /Users/xxx/.ssh/id_rsa

    debug3: send_pubkey_test

    debug3: send packets: type 50

    debug2: we sent a publickey packet, wait for reply

    debug3: receive packets: type 60

    debug1: server accepts key: ssh - rsa Bouasla 279 pkalg

    debug2: input_userauth_pk_ok: PS SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX / + q / A

    debug3: sign_and_send_pubkey: SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX RSA / + q / A

    debug3: search for the Query element: {}

    ACCT = "/ Users/xxx/.ssh/id_rsa";

    AGPR = "com.apple.ssh.passphrases";

    class = genp.

    labl = "SSH: /Users/xxx/.ssh/id_rsa";

    nleg = 1;

    'r_Data' = 1;

    Svce = OpenSSH;

    }

    debug2: using Keychain password

    debug3: send packets: type 50

    debug3: receive packets: type 52

    debug1: successful authentication (public key).

    Authenticated to server1 ([192.168.1.209]: 22).

    How can I make ssh NOT remember passwords for my keys?

    Thanks to http://apple.stackexchange.com/questions/253779/macos-10-12-sierra-will-not-forg and my-ssh-keyfile-password , I found that the password is stored in ~/Library/Keychains/{UUID}/keychain-2.db, rather than in the keychain. It is a sqlite3 file and the element containing the sentence can be removed with the following query:

    ~/Library/keychains/*/Keychain-2.DB $ sqlite3

    SQLite > delete from the genp where agrp = 'com.apple.ssh.passphrases';

    SQLite > .q

    $

    The problem is, the next ssh command I type asks for the password and stores it in the same file again.

    How do you prevent ssh from store my passwords at all?

  • vSphere ESXi ssh works, but not able to ping from the inside

    Hey man,

    I have problem with my ESXi 4.1 straing I just fresh installed on workstation 6.5 and assigned IP address. I am able to ping and ssh on my local network (another PC).

    But when I am trying to ping my local gateway of ESXi bash command line, I get the expiration time. Everything works including shared iSCSI and all but vMotion don't work. Is this firewall problem? I don't think that there inbuild firewall in ESXi.

    I am able to ping the local interface IP, but no gateway, see below.

    ~ # ping 192.168.1.1
    PING 192.168.1.1 (192.168.1.1): 56 data bytes

    -ping 192.168.1.1 - statistics
    3 packets transmitted, 0 packets received, 100% packet loss
    ~ # vmkping 192.168.1.1
    PING 192.168.1.1 (192.168.1.1): 56 data bytes

    -ping 192.168.1.1 - statistics
    3 packets transmitted, 0 packets received, 100% packet loss

    Greate that you are to the top and go.

  • Computer connection on another printer on cisco valet router

    I have a router (R1) provided by Verizon that connects me to the internet. Also connected to this router (R1) is a computer (PC1) and also my Cisco Valet (R2), which gives me connections wireless. Connected to the M20 Highway Cisco is a wireless (PC2) laptop and a printer wireless HP (PR1). Even if the Cisco M20 (R2) is connected to the internal network from Verizon (R1), PC (PC2) and printer (PR1) are on the internal network of Cisco (R2). I want (PC1) to be able to view and print to printer (PR1), but (PC1) on the router (R1) does not see printer (PR1). Laptop computer (PC2) also on Cisco (R2) can see and print it on the printer (PR1) very well, so wireless is not the issue. The issue is that PC1 must pass through and see PR1.

    PC1 <-->R1 R2 <--> <-->PR1

    If anyone can help with the configuration of the router. Thank you.

    What is the IP address of the main router and router M20?

    Ensure that both routers are in the same IP range.

    R1 is connected to the internet port M20?

    You connect 2 routers to each other. Use M20 as a wireless access point.

    Consider that the IP address of the main router is 192.168.1.1.

    Then change the local IP address of the M20 to 192.168.1.2. Disable the DHCP server on the M20.

    Connect the cable to the R1 to the port Ethernet 1 M20. In this way all devices will be in the same IP range.

  • Recovery of password on AIM - IPS

    Hi all

    Could someone be so kind and help me with the recovery of password on our AIM - IPS. I followed the steps in http://www.cisco.com/en/US/docs/security/ips/6.0/installation/guide/hwTS.html#wp1117969 to no avail. I destroyed all my hair. Thank you very much someone who solve my problem.

    Jaroslav,

    Of course it is ;-)

    Instead of sessioning at the device, you are your own router sessioning

    bsns-2821-4#service-module idS-Sensor 0/0 session
    
    Trying 192.168.15.15, 2194 ... Open
    

    AIM-IPS-TEST login:

    And when you do your session:

    Refoma# service-module idS-Sensor 0/1 session
    
    Trying 10.15.10.1, 2130 ... Open
    

    User Access Verification
    

    Username:

    By comparison, when you telnet/ssh to the router:

    bsns-2821-4#telnet 44.11.252.4
    
Trying 44.11.252.4 ... Open
    

    User Access Verification
    

    Password:      

    I added a baseline configuration that should take care of the hand of a problem, but I guess the big question is, what has been done to trigger this ;-)

    line 130
    
no activation-character
    
no exec
    
transport preferred none
    
transport input all
    
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    
stopbits 1
    
speed 115200

    Marcin

  • IPSEC connection to the foreign system disorder

    Hello!

    I make an IPSEC for a V7 astaro on a clients site

    the origin is a UC540 with the IOS 15

    I see the 'green' on the astaro... Tunnel so its ok, but not the packets go through:

    UC540 #show crypto ipsec his

    Interface: FastEthernet0/0

    Tag crypto map: CISCO, local addr x.x.x.202

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

    Remote ident (addr, mask, prot, port): (192.168.49.0/255.255.255.0/0/0)

    current_peer x.x.x.8 port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: 39, #pkts encrypt: 39, #pkts digest: 39

    #pkts decaps: 40, #pkts decrypt: 40, #pkts check: 40

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    endpt local crypto. : x.x.x.x, remote Start crypto. : x.x.x.x

    Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0/0

    current outbound SPI: 0xABA3137B (2879591291)

    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:

    SPI: 0x349B38CE (882587854)

    transform: esp-3des esp-sha-hmac.

    running parameters = {Tunnel}

    Conn ID: 18, flow_id: VPN:18 on board, sibling_flags 80000046, crypto card: CISCO

    calendar of his: service life remaining (k/s) key: (4586494/835)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    SPI: 0xABA3137B (2879591291)

    transform: esp-3des esp-sha-hmac.

    running parameters = {Tunnel}

    Conn ID: 19, flow_id: VPN:19 on board, sibling_flags 80000046, crypto card: CISCO

    calendar of his: service life remaining (k/s) key: (4586494/835)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    UC540 #.

    UC540 #ping 192.168.49.1

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 192.168.49.1, wait time is 2 seconds:

    .....

    Success rate is 0% (0/5)

    UC540 #ping

    Protocol [ip]:

    Target IP address: 192.168.49.1

    Number of repetitions [5]:

    Size of datagram [100]:

    Timeout in seconds [2]:

    Extended commands [n]: y

    Address source or interface: 192.168.10.1

    Type of service [0]:

    Set the DF bit in the IP header? [None]:

    Validate the response data? [None]:

    Data model [0xABCD]:

    In bulk, Strict, Record, Timestamp, Verbose [no]:

    Scan the range of sizes [n]:

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 192.168.49.1, wait time is 2 seconds:

    Packet sent with the address 192.168.10.1 source

    .....

    Success rate is 0% (0/5)

    UC540 #.

    Any idea?

    If you have ACLs assigned to the interface, you'd be able to simply remove the ACL of the interface. If you use ZBFW, you can also take the Member of the area out of all interfaces (pls make sure that take you all the interfaces, otherwise, your traffic will not go through the router between certain interfaces, more if you ZBFW, remove the Member area to console the router as you may be locked on the router if you remove some of the Member area first while Telnet or SSH in) the router).

  • How can I activate the network between my guests on merger 4.1?

    Hello

    I just started with VMware Fusion 4.1 and I want to create a local network for testing. On VMware workstation, it is pretty easy to do, but on the merger, it will not allow the traffic between my guests.

    I have 2 linux guests running, both with ssh service active and upward. I can ping each of them and also the Lion OS guests but I can't ssh to one guest to another, he said that there is no route to the host. I can ssh to OS Lion for guests.

    Do anyone knows how I can activate more ICMP traffic between guests?

    Thanks in advance,

    Will be

    Well first of all let me say that I have no problem making a ssh session between host comments, comments to the host and or guest invited on Mac OS X Lion and VMware Fusion 4.1.1.  So I would say that you do not have something properly configured and if you use Fedora, the first thing I do is the firewall and disable SELinux, at least for the connectivity test, then go from there.

  • RV082 v4.0.0.07 individuals and access rules NAT problem

    Hello

    I just bought two RV082 to run a 20 computer and office web server 4. I use special NAT to public IPs are mapped on different servers and our monitoring system and it seems to work very well. For each address of individuals using a NAT, I created the following access rules:

    Allow HTTP WAN1 everything [PA]

    Allow SSH WAN1 everything [PA]

    Refuse all WAN1 everything [PA]

    Allow rules are of a higher priority so my experience with other firewalls suggests that they should be applied first blocks access to all ports and ports HTTP and SSH then would be open. What seems to be the case is very disconcerting, with any rules applied Allow refusal rules are removed completely open all ports. If I move the priority of rule Deny it blocks all ports, as expected.

    My question is how can I prevent access to all ports except ports HTTP and SSH with the router in NAT mode specific.

    When an access rule is set on a NAT 1 rule at 1, you want to change the public ip address to the private IP which is mapped to the public ip address.

    Allow to use HTTP WAN1 everything [private address]

    Allow SSH WAN1 everything [private address]

    Refuse all WAN1 everything [private address]

Maybe you are looking for

  • How to authorize a new computer (actually I upgradedd Windows_? I can't connect to iTunes and download my latest purchashes until I authorize my computer.

    I have an iPod 5 / I just upgraded my computer and kTunes does not recognize. I received a message saying I have to authorize my computer updated for iTunes will recognize it like me and lert me have my shopping 'new '.  I was not able to sync with i

  • Create new vi by clicking a button on the front panel

    Hello. I'm quite new with Labview. I have to use an if statement to activate a button (I don't know if it is possible or not in LabVIEW) then when the button is enabled for the user must click on the button (allows the button say NEXT) to close that

  • HP Pavilion 500-242ea: Ram upgrade

    Hi I have a desktop computer Pavilion 500 - 242ea 64-bit with 6 GB of ram installed 1 x 2 gb Hynix/Hyundai 1600 mhz and 1 x 4 gb Samsung 1600 mhz. I would like to increase my ram by an additional 8 GB with a 2 x 4 GB - 1600 mhz cards in empty slots,

  • Vista update notifications

    I received notice of updates on a regular basis, but sometimes I choose to not download some of them.  Whenever I'm not download an update given, I am informed infinite there is of new updates.  How can I stop the continuous notifications?

  • Print al problema

    The problem that I have are cuando voy a print any document, the bar of PROPIEDADES esta inactiva y no puedo senalar o so what I need. Is he the Patrick desinstalado y the nuevo pero instaled nor is ha arreglado el problema. If alguien me you can ind