ssh problem

linux44 · March 2009

hello
i have configured the ssh on one of my router and trying to get access to it using telnet on another cisco router but it give me the following error

R2(config)#do telnet 172.16.0.5
Trying 172.16.0.5 ...

[Connection to 172.16.0.5 closed by foreign host]

any idea?
tnx

tiersten · March 2009

SSH isn't telnet and telnet isn't SSH. Use the ssh command if you want to open a SSH connection.

linux44 · March 2009

i acted a bit daft
any way tnx a lot u saved me
cause i was going crazy

rwwest7 · March 2009

Also check out Tera Term, it's free and works great with SSH.

linux44 · March 2009

I am having a same problem again despite using the following command:
ssh -l "username" then ip address

this command work on the router it self but if i try to reach that router from my other router it comes up with
connection lost .....

any idea?

amp2030 · March 2009

rwwest7 wrote: »

Also check out Tera Term, it's free and works great with SSH.

Either that or PuTTY.

linux44 · March 2009

amp2030 wrote: »

Either that or PuTTY.

what do u mean ?
what i am trying to say is that i have problem to ssh to my cisco router from other cisco router

i do not want to use putty or any software ,all i want to do is to use cisco router to ssh to my other cisco router

phantasm · March 2009

Did you generate your rsa keys?

1. set hostname: hostname myrouter
2. set domain name: ip domain name myrouter
3. generate keys: crypto key generate rsa
4. determine transport type: line vty 0 4 then transport input ssh

amp2030 · March 2009

I thought you were trying to connect from Windows, since someone suggested Tera Term.

Anyway, could you provide a few more details about your problem? Is it just SSH or connection in general? Can you PING the router from the remote one? Can you TELNET into it? Did you create a local user/password and generate rsa key on the router you want to connect to?

linux44 · March 2009

amp2030 wrote: »

I thought you were trying to connect from Windows, since someone suggested Tera Term.

Anyway, could you provide a few more details about your problem? Is it just SSH or connection in general? Can you PING the router from the remote one? Can you TELNET into it? Did you create a local user/password and generate rsa key on the router you want to connect to?

thanks for all ur replies
i am using packet tracer 5.1,i have added 2 router and their name are R1 and R2
R2 is the one which i have configured ssh on it and have used the following command

host R2
usernam cisco pass 123
ip domain-nam cisco
ip ssh ver 2
crypto key gener rsa =512 bit
line vty 0 15
login local
trans inp ssh

these are the command that i have used on router r2 and i can connect to r2 using ssh by that i mean from the R2 i typed
ssh -l cisco "ip address"

but when i try to connect using r1 it give me connecttion lost ...

note:r1 and r2 have full connectivity

tnx

phantasm · March 2009

You need to configure ssh on R1 if you want to connect to R1 via ssh.

linux44 · March 2009

phantasm wrote: »

You need to configure ssh on R1 if you want to connect to R1 via ssh.

what i want to do is to connect to the r2 from r1.
and basiccaly i think i wouldnt need to configure ssh on r1 ,as i am using r1 to connect to r2
please help as it is driving me mad

sprkymrk · March 2009

Do you have any ACL's in place that might be stopping it?

linux44 · March 2009

sprkymrk wrote: »

Do you have any ACL's in place that might be stopping it?

no
i even define the ssh version before connecetin by using the following command
ssh -l usernamd -v 2 "ip address"
i have also tried
ssh -l usernamd -v 2 "ip address

it does work when i ssh to r2 from r2 but it doesnt work when i ssh from r1 to r2!!!
is there any special command i have to configure r1 with in order to work???

amp2030 · March 2009

Ok, I tried to recreate your problem in Packet Tracer and I think I figured it out. Indeed it is not enough to set it all up on R2. I did, and couldn't connect either. It didn't work until I also configured R1 in a domain, with a username/pasword, and ran "crypto key generate rsa" on it.

Funny how I didn't need to tell it to use ssh version 2, nor did the domain have to be the same or the local user/password combination have to be the same, so my guess is as long as there is "some" key generated locally it's ok. In retrospect it kind of makes sense.

I'm taking ICND1 tomorrow, and I want to thank you for your question, as it has pointed out to me something I haven't thought of before. I would have wasted precious exam minutes figuring it out, had it shown up tomorrow.

linux44 · March 2009

amp2030 wrote: »

Ok, I tried to recreate your problem in Packet Tracer and I think I figured it out. Indeed it is not enough to set it all up on R2. I did, and couldn't connect either. It didn't work until I also configured R1 in a domain, with a username/pasword, and ran "crypto key generate rsa" on it.

Funny how I didn't need to tell it to use ssh version 2, nor did the domain have to be the same or the local user/password combination have to be the same, so my guess is as long as there is "some" key generated locally it's ok. In retrospect it kind of makes sense.

I'm taking ICND1 tomorrow, and I want to thank you for your question, as it has pointed out to me something I haven't thought of before. I would have wasted precious exam minutes figuring it out, had it shown up tomorrow.

thanks a lot for ur help
so does that mean in real world i need to type in crypto .... and ip domain name on all client router to connect to the server router using ssh ?

amp2030 · March 2009

linux44 wrote: »

thanks a lot for ur help
so does that mean in real world i need to type in crypto .... and ip domain name on all client router to connect to the server router using ssh ?

Good question, I wish I could answer it, but so far all my hands-on experience has been with simulators

If I had to venture a guess, I'd say yes. I'm a novice when it comes to security but it would make sense that for ssh to work both devices need some sort of keys to exchange.

phantasm · March 2009

In my job I'm ssh'ing into more than 20 seperate boxes a day. I never do it from one router to another. It's always from a UNIX shell into a router/switch. In this case, ssh needs to be configured on every device.

itdaddy · March 2009

linux
can you give your "show running-config" output here so we can see it/????
copy and paste your config into this techexams post...and we can look at your R1
config

itdaddy · March 2009

Linux

yes to your question..most all routers that I have has to set up ssh on all required what you asked..

domain name
host name
crypto command

this is the kind of standard.. i have done it on soho 831/asa5505 and some routers

linux44 · March 2009

itdaddy wrote: »

linux
can you give your "show running-config" output here so we can see it/????
copy and paste your config into this techexams post...and we can look at your R1
config

r1
R1#sh run
Building configuration...

Current configuration : 1874 bytes
!
version 12.4
no service password-encryption
!
hostname R1
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
username R2 password 0 cisco
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.128
ip access-group cisco1 out
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.0.1 255.255.255.252
encapsulation ppp
ppp authentication chap
ip access-group cisco in
clock rate 64000
!
interface Serial0/0/1
bandwidth 128
ip address 172.16.0.9 255.255.255.252
encapsulation frame-relay
frame-relay map ip 172.16.0.10 101 broadcast
frame-relay lmi-type ansi
ip access-group cisco in
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
passive-interface FastEthernet0/1
network 172.16.0.0
!
ip classless
ip route 10.0.0.128 255.255.255.128 172.16.0.10
!
!
ip access-list extended cisco
permit tcp host 172.16.0.2 any eq telnet
permit tcp host 172.16.0.5 any eq telnet
deny tcp any any eq telnet
permit ip any any
permit tcp any any
permit icmp any any
permit udp any any
ip access-list extended cisco1
deny tcp host 209.165.200.161 host 10.0.0.10 eq telnet
deny tcp host 209.165.200.161 host 10.0.0.10 eq ftp
deny tcp host 209.165.200.161 host 10.0.0.10 eq www
deny icmp 10.0.0.128 0.0.0.127 host 10.0.0.10
deny udp 10.0.0.128 0.0.0.127 host 10.0.0.10
deny tcp 10.0.0.128 0.0.0.127 host 10.0.0.10
deny ip 10.0.0.128 0.0.0.127 host 10.0.0.10
permit tcp any any
permit icmp any any
permit ip any any
permit udp any any
!
!
!
banner motd ^CAuthorised user only^C
line con 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

R2

R2#sh run
Building configuration...

Current configuration : 1224 bytes
!
version 12.4
no service password-encryption
!
hostname R2
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
username R1 password 0 cisco
username cisco password 0 ccna
!
ip ssh version 2
no ip domain-lookup
ip domain-name cisco
!
!
interface Loopback0
ip address 209.165.200.161 255.255.255.224
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.16.0.2 255.255.255.252
encapsulation ppp
ppp authentication chap
ip access-group cisco in
!
interface Serial0/0/1
ip address 172.16.0.5 255.255.255.252
ip access-group cisco in
clock rate 64000
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
network 172.16.0.0
!
ip classless
ip route 10.0.0.0 255.255.255.128 Serial0/0/0
ip route 10.0.0.128 255.255.255.128 Serial0/0/1
!
!
!
!
!
banner motd ^CAuthorised user only^C
line con 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login local
transport input ssh
line vty 5 15
password cisco
login local
transport input ssh
!
!
end

tnx

itdaddy · March 2009

linux

try this link; look it over and then look at your config. you mind find the issue.
not that it might matter, but change you domain name to something like (domain.net or domain.com) something not just a name...and when I do stuff I try to follow the letter to the bone...

Configure SSH on your Cisco router

watch your acls tooo. sometime you can take your ACLS down if it is a home lab
and see how it reacts that is what I do i take all my acls down and save and restart it.

i usually get my telnet or ssh going first them set up ACLS...it is easier to truobleshoot
let me know how it works out???

did you run the : crypto key generate rsa command???

linux44 · March 2009

itdaddy wrote: »

linux

try this link; look it over and then look at your config. you mind find the issue.
not that it might matter, but change you domain name to something like (domain.net or domain.com) something not just a name...and when I do stuff I try to follow the letter to the bone...

Configure SSH on your Cisco router

watch your acls tooo. sometime you can take your ACLS down if it is a home lab
and see how it reacts that is what I do i take all my acls down and save and restart it.

i usually get my telnet or ssh going first them set up ACLS...it is easier to truobleshoot
let me know how it works out???

did you run the : crypto key generate rsa command???

yes tnx for ur advises ,i have got it sort it by issuing a crypto key ... and ip domain-name on the client router which look strange to me as why should i put crypto... in on client router ????

ssh problem

Comments