Telnet/SSH Connection to Switch
I'm studying for the CCENT, and I have one issue and two general inquiries I'd like to present.
First of all, I'm having trouble connecting to my 2950 using Telnet/SSH, though I've applied a VTY password. As an aside, I'm able to connect through the console. I applied an IP address to the switch, and I'm wondering if there's a part of the process that I've missed. When using Putty to connect to the IP, I immediately receive the "Network Error: Connection refused" error; the same basic message happens, using Tera Term.
Here's my running config:
Switch#show running-config
Building configuration...
Current configuration : 2416 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
interface FastEthernet0/1
switchport mode access
interface FastEthernet0/2
switchport mode access
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
interface FastEthernet0/25
interface FastEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan2
ip address 192.168.1.107 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.1
ip http server
line con 0
exec-timeout 0 0
password CCENT
logging synchronous
login
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
end
--More--
The physical connection I'm using is from my desktop's second NIC, and I've configured the IPv4 connection to the switch's listed IP, which is 192.168.1.107. Is there anything listed above that would be problematic?
One of my questions has to do with the IP address that's supposed to be used to receive rsa keys: why is it necessary? Also, I tried entering the "ip address dhcp" command to grab an address from my WRT54G and received the following:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-if)#ip address dhcp
^
% Invalid input detected at '^' marker.
I'm following the directions in Odom's book, and I don't see what I'm missing.
My other question has to do with passwords, in general. Entering the username/password on either the interface-subcommand or the global configuration area seems unimportant, here:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#username DDDD password EEEE
Switch(config)#^Z
...and...
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#exit
Switch(config)#username FFFF password GGGG
Switch(config)#^Z
Here's the running config, afterwards:
Switch#show running-config
Building configuration...
Current configuration : 2535 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
username BBBB password 0 CCCC
username DDDD password 0 EEEE
username FFFF password 0 GGGG
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
--More--
It doesn't appear as though exiting out of config-if mode made any difference for the usernames/passwords. Then again, I can't connect through Telnet/SSH, so I'm not able to test it, at the moment.
I'm really sorry for the huge post, but I didn't want to start multiple threads. Any help is much appreciated.
- B
First of all, thank you all for the helpful responses!
My PC is currently connected through the router, from which a straight-through cable is connected to port Fa0/18, and it is indeed on vlan2, which is associated with 1.107.
I ran the arp -a command, and here's a portion of it:
Interface: 192.168.1.105 --- 0xc
Internet Address Physical Address Type
192.168.1.1 00-0c-41-d4-6d-a1 dynamic
192.168.1.104 64-a3-cb-3d-07-64 dynamic
192.168.1.107 00-0a-b7-13-e5-c0 dynamic
1.105 is one of the NICs on the desktop. The BIA listed for 1.107 is one of the static "CPU" addresses on the switch. Here's my current running config:
Switch#show running-config
Building configuration...
Current configuration : 2434 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
interface FastEthernet0/1
switchport mode access
interface FastEthernet0/2
switchport mode access
interface FastEthernet0/18
switchport access vlan 2
switchport mode access
interface FastEthernet0/19
switchport access vlan 2
switchport mode access
interface FastEthernet0/20
switchport access vlan 2
switchport mode access
interface FastEthernet0/21
switchport access vlan 2
switchport mode access
interface FastEthernet0/22
switchport access vlan 2
switchport mode access
interface FastEthernet0/23
switchport access vlan 2
switchport mode access
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
interface FastEthernet0/25
interface FastEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan2
ip address 192.168.1.107 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.1
ip http server
line con 0
exec-timeout 0 0
password CCENT
logging synchronous
login
line vty 0 4
password NICE
login
transport input telnet ssh
line vty 5 15
password NICE
login
transport input telnet ssh
end
As you can see, I've added the VTY passwords, though I thought I had already done that. Actually, to what do the "CCNA" and "CCIE" passwords listed above apply? I'm assuming those are the local login credentials I added for the VTY lines.
I just got through disconnected the switch's straight-through cable from the router and connected it directly to my desktop's second NIC again, and I still can't connect, remotely. Where should the troubleshooting start, at this point?
Similar Messages
-
Prime 4.2 Telnet/ SSH Connections to Switches
Hi everybody,
I have a problem with LMS 4.2 and use Telnet/ SSH tool to open network devices.
If I start the tool telnet/ssh, always starts a telnet session and no ssh session.
But telnet is disabled on all devices in my network. Can I change something to open automatically a ssh session with putty?
regards BjoernHi Bjoern,
I am assuming you refer to the Device Center > Tools > Telnet/SSH option.
The problem is not on LMS actually. What happens is that in the background, a telnet:// is being called.
What will happen is that your system will launch whatever application has been assigned to the telnet protocol, typically the Windows CMD, which will open a telnet session automatically.
In order to change this to use Putty for example, which would allow you to change to SSH connectivity (manually though) you can do the following:
1) BACKUP YOUR REGISTRY.
Go to Start > Run > Regedit > File > Export.
2) Locate the following key:
HKEY_CLASSES_ROOT > Telnet > shell > Open > command > (default)
3) Modify the key value to point to the location of your "putty.exe" file (make sure to include the double quotes).
Default value:
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l
New value (will open putty automatically to the selected IP):
"D:\Tools\putty.exe" %l
New value (will open putty normally, you will need to type the IP but can change the connection protocol/port if desired):
"D:\Tools\putty.exe"
This should make your system open Putty for any "telnet://" links, including the Telnet/SSH link in the Tools section of Device Center.
Best regards,
Luis
Message was edited by: Luis Jimenez
Message was edited by: Luis Jimenez -
LMS 4.2 is not releasing SSH connections of the devices
Hello!
We have LMS opens SSH sessions to Nexus 5000 devices as part of some jobs.
These SSH connections are not being released by LMS as soon as jobs are completed, which leads the N5K devices to hang without any way of managing them remotely.
We see these connections as idle on the nexus devices (which also should kill these sessions, but this is not the issue).
We have found a known bug:
CSCty90928
LMS Pari jobs are not releasing SSH,telnet connections of the devices
Symptom:
Telnet/SSH connections are not released by LMS
Conditions:
Pari collections jobs are not releasing the connections after the Job completed
Workaround:
None
This bug is categorized as "2 – severe" and is in "Open (Postponed)" status.
I have a few questions, if anyone can assist:
1.) What is the ETA to fix this bug?
2.) Are there any other known bugs matching what we see (documented public bugs, with bug ID's, internal bugs or even undocumented bugs).
3.) Is there any released or unreleased (even yet to be tested by TAC) patch we can use that should fix the issue?
4.) Is there any way to adjust LMS idle timeout of SSH/Telnet sessions (I couldn't find it in the GUI, but maybe there is a way to change this parameter using a perl script or modifying one of LMS properties files)?
Thanking in advance, Udi Dahan.Hello Ehud
From N5k side we have submitted bug CSCty00044
Currently there is no fix for it and our debelopment team is catively working on it and investigating the issue in the lab.
To get ETA for the release I would suggest you reach your account team and check with them how fast fixed release will be available.
HTH,
Alex -
Unable to Telnet / SSH to a particular cisco switch
Hello,
I have an unusual issue that I just can't seem to track down. We have a Windows Server 2008 R2 box that is unable to telnet or ssh to one switch in our network.
Server IP: 10.0.0.74
Cisco Switch IP: 10.1.0.7
I am able to access all other switches/routers on the 10.1.0.x network, but not this one. I ping and tracert by ip address and name.
We have a number other servers on our network and they all can access this switch
Example:
a. 10.0.0.73 can telnet/ssh to 10.1.0.7
b. 10.0.0.72 can telnet/ssh to 10.1.0.7
c. 10.0.0.50 can telnet/ssh to 10.1.0.7
d. My workstation (10.0.250.213) can telnet/ssh to 10.1.0.7
If anyone can help with troubleshooting further, I would greatly appreciate it.Thanks for the reply Philippe! Here is the route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.2 10.0.0.74 266
10.0.0.0 255.255.0.0 On-link 10.0.0.74 266
10.0.0.74 255.255.255.255 On-link 10.0.0.74 266
10.0.255.255 255.255.255.255 On-link 10.0.0.74 266
10.10.0.0 255.255.0.0 On-link 10.0.0.74 266
10.10.0.74 255.255.255.255 On-link 10.0.0.74 266
10.10.255.255 255.255.255.255 On-link 10.0.0.74 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.74 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.74 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.0.0.2 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Firewall is disabled and there is no active antivirus. Im pretty sure port blocking is not the issue. I am able to ssh and telnet from this box to every other switch/router in our network.
This server has Solarwinds on it and tracks the health of our network (servers, routers, switches, ups, ect.). The only reason we noticed an issue is because it stopped backing up the config for this particular switch. All other switchs/routers
config is backed up to this server every morning at 2:00AM.
With solarwinds, this server is also able to communicate with this switch via snmp / icmp and ping.
Thanks again for the help! -
LAN Switches cannot be accessed by Telnet, SSH or console in native vlan
Hi to all of you:
I do have a question about tagging the native vlan.
In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
I have to reset or reload (power cycle) if I want to access the switch.
I have read that having the native vlan can be a problem.
Could you please let me know if you have gone through this problem?
Thanks in advance for your help.
Javier F. Berthin H.Hi Karhtick:
I guess you have the best answer, you suggested the memory command and I am attaching you as result.
Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
If you need the config please let me know, for complementary comments.
Thanks for your help.
Javier
Core_Toldos#
Core_Toldos#
Core_Toldos#sh processes memory sorted
Processor Pool Total: 57114592 Used: 42061488 Free: 15053104
I/O Pool Total: 12582912 Used: 9397428 Free: 3185484
Driver te Pool Total: 1048576 Used: 40 Free: 1048536
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 56706116 14325484 38372056 0 0 *Init*
197 0 4506712 2363500 1463652 0 0 Auth Manager
0 0 0 0 1443720 0 0 *MallocLite*
0 0 577244636 370831296 916016 12457311 3203234 *Dead*
236 0 532808 46152 507068 0 0 IP ARP Adjacency
303 0 1335768 890528 450448 0 0 ADJ resolve proc
230 0 27640244 15996 378344 10152 0 CDP Protocol
77 0 368260 14413456 377820 0 0 EEM ED ND
102 0 385848 232 362236 0 0 HLFM address lea
404 0 3397428 3069392 334928 0 0 hulc running con
192 0 307492 21604 294808 0 0 HL2MCM
193 0 356552 70624 294744 0 0 HL2MCM
357 0 265100 0 275260 100548 0 EEM ED Syslog
365 0 126849404 86726456 255248 0 0 EEM Server
87 0 569060 274864 244984 0 0 Stack Mgr Notifi
203 0 753032 492440 164316 0 0 DTP Protocol
201 0 737920 526656 159424 0 0 802.1x switch
13 0 505129716 504972016 156620 0 0 ARP Input
Core_Toldos# -
Can't ping, telnet, SSH or find APs in ARP, but associated to WLC & has clients
Hi All,
I have an interesting problem. I have a Cisco 2504 WLC, and six Access Points that are associated to it. I can reach 4 of the access points, which are connected to Cisco 300 POE switches, but the other 2 I cannot ping, telnet, SSH or find in the ARP table on the network. However, they are both associated to the WLC and as far as I can tell, they have clients associated to them. If I reboot them from the WLC, they find their way back to the correct WLC, and the WLC sees them in CDP, but I still can't access them in any way.
The two problem APs appear to be connected to ports 3 & 4 on the WLC, which are the POE ports. I read some documentation that says that those ports don't support Access Points but basically that you can still connect them and have it work, but don't expect any help from Cisco if you run into problems. I've confirmed that POE is being supplied in the port configs, and I have other sites with WLC's that are configured identically with APs on ports 3 & 4 that are up and not having any issues.
Wondering if anyone has had similar issues and if so, can you shed any light on this strange behavior?
Thanks.please
https://supportforums.cisco.com/discussion/11288621/2500-wlc-attach-ap -
Telnet / SSH Software options?
Hello...
After 20 years of using PCs I switched and I'm very happy. I'm figuring most things out easily but cannot find graphical SSH client software.
I can use terminal but what I need is a software package that will store all my server accounts and passwords. Or am I missing something, some way I can do that with the built in terminal combined with the keychain?
On a PC I would use something like SecureCRT.
To reiterate, my main need here is the ability to store a list of servers, ids, and passwords that I connect to telnet (SSH). So I can pick a server and connect without having to lookup the id and password for each server.
Thanks for any guidance..I'm not sure this is exactly what you're looking for, but I use a program called sshkeychain to store these passwords:
www.sshkeychain.org/ -
Applying the below to a Catalyst 3560 switch, I can only telnet/ssh using 10.1.0.1. Host 10.1.0.50 telnet/ssh is blocked.
Please advise.
access-list 101 permit host 10.1.0.1 any eg 22
access-list 101 permit host 10.1.0.1 any eg 23
access-list 101 permit host 10.1.0.50 any eg 22
access-list 101 permit host 10.1.0.50 any eg 22
line vty 0 4
access-class 101 inColm
If the first two lines work then I would expect the second two lines to also work. My first thought is that there may be some difference in what is actually configured and what you posted (especially since it is obvious that you just typed in the access list and did not copy it from the device config - the missing TCP parameter in the access list shows that. So copy the access list exactly from the device and post it.
Other possibilities that occur to me:
- is it possible that there is some IP connectivity issue which prevents 10.1.0.50 from connecting (or prevents responses from going back)?
- is it possible that there are interface access lists which prevent the connection?
Collin
While I agree with you that it is generally better to use standard access lists with access-class, I do not believe that changing from extended to standard access list will solve this problem. If the problem were the extended access list then how does 10.1.0.1 work?
HTH
Rick -
Hi,
I am trying to configue ssh on Cat 3750 & cat 3560 switches so that users cannot access directly through telnet to the switches instead they need to use ssh(say putty utility)to connect to switches.
Problem - Once I login to switch through ssh (using say putty utility).from next time it allows access through telnet for all users.
Below is the config
crypto key generate
ip ssh timeout 120
ip ssh auth-retries 3
line vty 0 4
login local
transport input ssh
Is there any thing else to be configured to enable ssh.
IOS ver is c3560-ipbasek9-mz.122-25.SED.bin.
Regds
KMShi
The domain which is required to generate the key is missing in ur config which you have posted here.
is it due to typo error ?? without that you will get error message while generating the pub key.
also can you check which version of SSH ur running using show ssh command in ur switches ??
if its version 1 can you change that to version 2 and check out ?
that you can configure using ip ssh version 2 ..
regds -
Problems with SSH: Connection Refused
Greetings fellow Arch users,
I have hit a bit of a snag that I could really use some extra help getting around. I've tried everything I can think of (and everything that Google thought might work) and I have my back rather against a wall, so I thought I'd come here to see if anyone can offer some advice.
To make a long story short, I am a college student and am attempting to set up an ssh server on a desktop at my house so I can access it remotely from the college. I have the computer set up and the server running, however I am having difficulty making connections to it from my laptop. I know that the server is running, because I can log into it both from the server itself (sshing into local host) and from my laptop when I use the internal IP address.
The server is on a static IP address within the network(192.168.0.75), and my router is configured to forward TCP port 1500 to it (I'm using 1500 as the port for my ssh server). However, when I attempt to log into the ssh server using my network's external IP address, the connection is refused. I used nmap to scan my network and found that, even though the proper ports are forwarded to the proper place as far as my Router's configuration interface is concerned, port 1500 is not listed as one of the open TCP ports. I also, to test it, temporarily disabled the firewalls on both the server and the client. That didn't help. The command that I am running is:
ssh -p 1500 douglas@[external ip address
As I am really not sure what is causing this problem, I don't know what information to provide. So here is everything that my inexperienced mind sees as likely being important. If you need anything more, let me know and I will do my best to provide it.
Here is the sshd_config file from my server.
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 1500
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
The ouptut of ip addr when run on the server:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:21:9b:3a:be:94 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.75/24 brd 192.168.255.0 scope global enp8s0
valid_lft forever preferred_lft forever
inet6 fe80::221:9bff:fe3a:be94/64 scope link
valid_lft forever preferred_lft forever
Here is the output from running nmap on the network:
Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-28 21:05 EDT
Initiating Ping Scan at 21:05
Scanning address [2 ports]
Completed Ping Scan at 21:05, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:05
Completed Parallel DNS resolution of 1 host. at 21:05, 0.05s elapsed
Initiating Connect Scan at 21:05
Scanning pa-addresss.dhcp.embarqhsd.net (address) [1000 ports]
Discovered open port 80/tcp on address
Discovered open port 443/tcp on address
Discovered open port 23/tcp on address
Discovered open port 21/tcp on address
Completed Connect Scan at 21:05, 4.08s elapsed (1000 total ports)
Nmap scan report for pa-address.dhcp.embarqhsd.net (address)
Host is up (0.036s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
443/tcp open https
8080/tcp filtered http-proxy
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds
Here is the ssh_config client-side:
# $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
Output of ssh -v during connection attempt:
OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/douglas/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [address] port 1500.
debug1: connect to address address port 1500: Connection refused
ssh: connect to host address port 1500: Connection refused
Thank you guys ahead of time. Getting this server operational is hardly critical, it is just a side project of mine, but I would really like to see it working.
Douglas Bahr Rumbaugh
Last edited by douglasr (2013-09-29 02:58:56)Okay, so I finally have the opportunity to try and log in from a remote network. And. . . it doesn't work. Which is just my luck because I now need to wait an entire week, at least, before I can touch the server again. Anyway, running ssh with the maximum verbosity I get this output:
douglas ~ $ ssh -vvv -p 2000 address
OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/douglas/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [address] port 2000.
debug1: connect to address address port 2000: Connection timed out
ssh: connect to host address port 2000: Connection timed out
It takes a minute or two for the command to finish with the connection timeout, as one would expect. And yes, I am reasonably sure that the address that I am using is my home network's external IP. It is dynamic, but I checked it before I left which was just over an hour ago. I guess that it may have changed. I'll know that for sure in the morning, when my server sends me an automatic email with the network's current address. In the meantime I am operating under the assumption that the address I am using is correct. What else could be the problem? -
Hi, i have a strange problem with my cisco 837. I can telnet to it from my local lan no problems but when i try to telnet to it from work or any external ip it will not and eventually times out. I did have an access list applied to the vty lines but i allowed my work ip address and could see the match counter increment on the allow statement. I have now completely removed the access list but the problem remains.
Trying 82.12.xxx.xxx...
telnet: connect to address 82.12.xxx.xxx: Connection timed out
line vty 0 4
session-timeout 35791
exec-timeout 35791 0
logging synchronous
length 0
transport preferred telnet
transport input telnet ssh
transport output alltook me a little while but figured it out. I had my internet connected nat'd, the route map pointed to an access list which said permit ip any any. This was causing the remote telnet/ssh problems. The nat access list needed to be for the inside networks permited only i.e. something like permit 192.168.1.0 0.0.0.255 any.
-
WS-6509 refusing SSH connections via TACACS+ 5.5
Hello everyone, we have our Core 6509's using AAA with TACACS+ version 5.5 appliance.
We have 4 appliances 2 each in 2 locations.
We have an issue where 6509's refuse to authorize/authenticate valid users for ssh connections.
When you ssh to the device you can enter your password but ssh tectia just closes or you see the login banner and "Authorization denied" and ssh closes.
The switches have there tacacs-server settings pointing to all four TACACS+ devices.
Occasionally one or both will attempt to use one of the 2 non local TACACS+ servers to authenticate/athorize connections.
You can login from the console if you interrupt it's connection to TACACS by disconnecting the fiber connections momentarily.
Has anyone seen something like this before?
This happens once or twice a year.
ejThat's the funny part, TACACS shows green stating that I'm passing all the checks.
When I select the magnifying glass I see "passed" in green at the top.
when I check "Evaluating Identity Policy" it says.
Matched Default Rule
Selected Identity Store - Internal Users
Authenticating user against Active Directory
Could not establish connection with ACS Active Directory agent
Looking up User in Internal Users IDStore - "My username"
Found User in Internal Users IDStore
Wrong password or invalid shared secret
The advanced option that is configured for a failed authentication request is used.
The 'Continue' advanced option is configured in case of a failed authentication request.
But I'm able to access all other switches so my AD username/password are correct.
At first I was unable to access it's pair. After we did a hard reset on one of the ACS's that was resolved.
But I still can't get into the other pair.
ej -
Reverse a chained SSH connection ?
Hi,
I need to reverse an opened chained SSH connection to copy files back to my own computer.
I know that when an SSH connection is active, it is possible to do ~ -R port:localhost:port2 to provide a reverse connection to send files back to the machine. But this doesn't seem to work in a chained configuration.
Here's what I have :
My computer === ssh ===> First server === ssh ===> Second server
And I need to scp files from the second server onto my computer.
Ideally, I'd like to have a "one command line" command, without tricks in ssh_config with proxy commands because I want to be able to use this easily on any computer.
Thanks
EDIT : I know ssh -R port:localhost:port1 server1
and ssh -R port1:localhost:port2 server2
but I'm looking for a way to do this once the connection is established.
Last edited by doupod (2013-06-17 15:56:23)You can try by removing your original accounts and then logging back through SDM, then disable telnet and again create those original accounts.
-
Transport input telnet ssh help
Hello,
I had two questions about remotely login to switch or router :
1. What is the default setting on switch or router to accept remote login (i.e., telnet or ssh)
2. If i configure...TRANSPORT INPUT TELNET SSH... which one is default and accepted first by switch or router. I mean I know that it will accept both but I want to know that If I configure both to accept then which one has the first priority or by default which one is accepted first, tenet or ssh.
Thanks1) Default settings on all VTYs are "transport input all" --> all the supported protocols, that includes both telnet and ssh.
2) There is no priority level on which one is accepted first. Basically it just listens on both protocols (telnet - tcp/23 and ssh - tcp/22) for remote management.
Here is the command description for your reference:
http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219
Hope that helps. -
ASA5520 - Management0/0 Telnet/SSH/Ping Access
hey all, hope this is an easy one.
- how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)
- i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
- i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
- is a security level required on the mgmt interface? it does not work unless we put one. if so, what are you guys setting it to?
interface Ethernet0/0.101
description Outside
vlan 101
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
interface Ethernet0/1.102
description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)
vlan 102
nameif inside
security-level 100
ip address 192.168.100.100 255.255.252.0
interface Management0/0
nameif mgmt
security-level 90
ip address 192.168.253.100 255.255.255.0
management-only
ssh 192.168.100.0 255.255.255.0 mgmt
telnet 192.168.100.0 255.255.255.0 mgmt
I try to add a static route but get an error:
ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1
ERROR: Cannot add route, connected route existsHello Robert,
by default the Managment interface of an ASA is going to be used just for managment traffic only.
Now in order to be able to use it as any other interface you will need to use the following command:
- Interface managment 0/0
- no managment-only
And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.
Regards,
Julio
Maybe you are looking for
-
Navigating from one movie to a particular frame in another
Is it possible to navigate to a particular frame in a different movie... the reason being, I am trying to minimise the size (mb) of the movie so it doesnt get to a stage where the machine it is on bogs down. For example, I am cutting the movie down i
-
How do I stop iTunes from syncing purchased music?
Every time I sync my iPhone, purchased music is going back onto the phone. This is such an odd problem. I have 'manually manage music' selected. Nothing else gets automatically synced but my purchased music. Also, sometimes, when I delete music from
-
Safari 4.0 (5530.17) cannot uninstall :(
hi, today (09.06.2009) i downloaded from apple.com new version of safari, but i hate it, BUT i can't install safari 3.0 or simply uninstall 4.0 can you help me, please? i try download and install 4.0 and after that use uninstall in package but i can'
-
Computer is authorized, but iTunes keeps asking to authorize again
Our computer got a virus and we had to run recovery. We backed up our music and then reinstalled iTunes. Now whenever we try to play any of our purchased music iTunes says that the computer isn't authorized, so we authorize it. Then it says that it's
-
Problemas varios en Ilustrator CS4.
Al trabajar con Ilustrator CS4 y "mover" diversas imagenes dentro de la imagen que quiero modificar, Ilustrator se cierra de golpe y sin previo aviso. Esto pese me pasa solo con un archivo en particular es bastante molesto, ya que quita continuidad d