Telnet vs ssh?

Similar Messages

• Not able to telnet or ssh to outside interface of ASA and Cisco Router

  Dear All
  Please help me with following question, I have set up testing lab, but still not work.
  it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
  Hub -- Juniper SRX
  Spoke One - Cisco ASA with version 9.1(5)
  spoke two - Cisco router with version 12.3
  site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
  Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
  Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
  When I tested it, of cause site to site vpn still up and running.
  Thanks
  YK

  Hello YK,
  On this case on the ASA, you should have the following:
  CConfiguring Management Access Over a VPN Tunnel
  If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
  To specify an interface as a mangement-only interface, enter the following command:
  hostname(config)# management access management_interface
  where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
  You can define only one management-access interface
  Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
    SSH
  - ssh 0 0 outside
  - aaa authentication ssh console LOCAL
  - Make sure you have a default RSA key, or create a new one either ways, with this command:
      *crypto key generate rsa modulus 2048
  Telnet
  - telnet 0 0 outside
  - aaa authentication telnet console LOCAL
  Afterwards, if this works you can define the subnets that should be permitted.
  On the router:
  !--- Step 1: Configure the hostname if you have not previously done so.
  hostname Router
  !--- aaa new-model causes the local username and password on the router
  !--- to be used in the absence of other AAA statements.
  aaa new-model
  username cisco password 0 cisco
  !--- Step 2: Configure the router's DNS domain.
  ip domain-name yourdomain.com
  !--- Step 3: Generate an SSH key to be used with SSH.
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  !--- Step 4: By default the vtys' transport is Telnet. In this case, 
  !--- Telnet and SSH is supported with transport input all
  line vty 0 4
  transport input All
  *!--- Instead of aaa new-model, the login local command may be used.
  no aaa new-model
  line vty 0 4
    login local
  Let me know how it works out!
  Please don't forget to Rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Telnet or ssh management

  Hi Everybody!!!
  I have noticed that I can log in using almost every configured IP address on the device (here Catalyst 6500).
  I'm wondreing why? I'm not talking about source address, but the destination one.
  I have many vlan interfaces configured on the device. Almost every interface has assigned an IP address.
  And I can access remotely the switch using telnet or ssh protocol using every assigned IP address to Vlan interfaces.
  I'm wondering if it is desirable.
  Could someone explain it to me.
  Maybe there is a way to reduce the number of possible addresses, which I can use to log in (destination address).
  Best regards,
  Agata Czekalska
  Technical University of Lodz

  Hi
  Hmm Technical University..
  I am basing this on a couple of asumptions.
  Assumption: this is one of the devices that services students/teachers/others
  Assumption: students are intelligent and inquisitive.
  Assumption: you are the only one/group that should have access to the device.
  First your 6500 chassi is/are available on several different VLANS.
  this I would stop at once IF there is no special reason for it to be configured that way.
  My guess is that if it is not hacked, then it is not far from getting just that.
  it does not mean that someone is doing anything malicious with it, but there might be misconfigurations and stuff that disrupts service.
  I would actually if possible stop all telnet/ssh/http/https traffic to the device itself.
  Atleast stop telnet and http since they send the login information in cleartext.
  if the student have a sniffer they will have the loginnames and passwords quickly.
  Get a firewall (asa5505?), and setup a pc behind it with a direct connected serial cable to the 6500 (and other switches maybe ?) to connect to the pc you would then open up the firewall only for appropriate communication means (ipsec vpn/ssl vpn/AAA TCP communication)
  use personal usernames and passwords so that everyone have their own username and password to login to the equipment.
  dont forget to set up NTP. that will help not only with time, it will also help with who was last on.
  This method secures the device from malicious use or accidental missconfiguration from someone not authorised to use it in that way.
  if this is not possible or desireable in your case, ACLs are used to control what ip address are allowed to access the unit.
  HTH

• Cant Telnet or SSH to switch

  Hey Guys, I cant telnet or ssh to one of my switches.  I can however telnet to the switch i'm having trouble with from another switch on the network.  I have the config attached, Thanks for any help!

  you are missing ip default-gateway command with pointing to your default gateway IP for switch subnet.

• Not Able to Telnet or SSH Cisco ASA

  Hi,
  I am not able to do the following to Cisco ASA with one IP address 172.19.1.11, below is the configuration in ASA. Earlier it was working, all of a sudden it stopped working.
  Please help.
  1. Not Able to SSH
  2. Solarwinds not able to take information from ASA.
  http 172.19.1.11 255.255.255.255 inside
  snmp-server host inside 172.19.1.11 community srnemapd
  telnet 172.19.1.11 255.255.255.255 inside
  ssh 172.19.1.11 255.255.255.255 inside
  ntp server 172.19.1.11 source inside prefer

  Hi there,
  Just add a new IP address for ssh to ASA, this will kick start the demon.
  This new IP does not have to be a real one.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Telnet, rlogin, ssh not ok on sun 240 with solaris 5.10 on it

  Hello,
  I am facing some problems with connecting througth telnet, rlogin or ssh on a SUN 240 server carying solaris 10 software on it. When I try to connect througth the serial port, it gives me this error:
  telnet 10.151.145.6 2100Trying 10.151.145.6...
  Connected to 10.151.145.6.
  Escape character is '^]'.
  rel4gold_sam_1_7_1 console login: Dec 22 18:21:33 rel4gold_sam_1_7_1 uplink: uplink1: Standby link failure - not receiving heartbeats (B)
  Dec 22 18:23:33 rel4gold_sam_1_7_1 last message repeated 1 time
  INIT: Command is respawning too rapidly. Check for possible errors.
  id: cn "/opt/CCPUsrvr/bin/ccnd -s 38400 -f none -l /dev/term/b #CCPU CCNd"
  Dec 22 18:25:34 rel4gold_sam_1_7_1 uplink: uplink1: Standby link failure - not receiving heartbeats (B)
  rel4gold_sam_1_7_1 console login: root
  Dec 22 18:25:51 rel4gold_sam_1_7_1 login: open_module: /usr/lib/security/pam_authtok_get.so.1 failed: ld.so.1: login: fatal: passwdutil.so.1: open failed: No such file or directory
  Dec 22 18:25:51 rel4gold_sam_1_7_1 login: load_modules: can not open module /usr/lib/security/pam_authtok_get.so.1
  Ping is working properly. Do you have any ideea how can i fix this problem?
  Thank you.

  Yeahh, guys!!!
  I was trying to establish a two-node cluster using VirtualBox + Solaris x86 + Sun Cluster 3.2. The node where I was running scinstall to configure my cluster environment was rebooting the other node in the end of the configuration process but it was hanging in the "Rebooting node01..." message just because it was not able to establish the cluster.
  After see your comments, I changed Solaris x86 to Solaris Express Community Edition and Sun Cluster to Cluster Express and now everything is working fine!
  Thanks!
  Jansen Sena <[email protected]>

• Telnet or ssh acecss on wrt160nl

  Hello,
  i have 2 questions regarding wrt160nl.
  1.Is it possible to have ssh or telnet access on the router, with the default firmware?
  2.Is it possible to disable one of the antennas on the router, while has installed the default firmware?
  Thank you

  ssh or telnet access on the WRT160NL should be possible. no need to load any 3rd party firmware for this purpose. to configure your telnet session, check out: How to Telnet to Linksys WRT160NL.
  configuring the antennas is not possible using the default firmware. for this you'll have to turn to 3rd party software developers.

• Telnet to SSH connection

  Hi
      we are transitioning from Telnet to the more secure SSH type connection changing to ssh from  telnet What i dont  know is how this will impact the applications and the interfaces
  i dont know how this will impact the following application
  SMTP forwarding from SAP.
  Interface from WebMethods.
  Interface between R/3, BW and CRM
  can any one suggest us in this

  Hi
      we are transitioning from Telnet to the more secure SSH type connection changing to ssh from  telnet What i dont  know is how this will impact the applications and the interfaces
  i dont know how this will impact the following application
  SMTP forwarding from SAP.
  Interface from WebMethods.
  Interface between R/3, BW and CRM
  can any one suggest us in this

• Question of telnet or SSH to 4500X management port

  I configured 4500X management port (Fa1) and I can ping the IP from the network. But when I tried telnet to the port, the switch showed "password required but not set".
  I didn't configure any password for VTY. Should it be equivalent to "no login"? If to set or change a password for the management port, where to configure it?
  Thanks a lot

  Hi,
  Yes, "password" and "login" for the management port should be configured under the "vty" lines.
  Best regards,
  Antonin

• [Feature Request] Wap321 SSH/Telnet Support

  Dear Cisco Developers,
  we are facing a problem with your design choice of not to support Telnet/SSH on the Wap321. We bought this Product because it was one of the only Access Points with SSH and Telnet Support.
  We need the SSH Support for a script that changes the WPA-psk key of the interface wlan0 on more then 20AP's every Week. Everything was good until we got hold of a new charge which came with firmware version 1.0.1.10.
  Changelog:
  "Due to security concerns, Telnet and SSH access options are removed in firmware version 1.0.1.10."
  So I talked with the German Cisco Small Business Support and he said he will investigate and try to get it to the Second Support tier. Well it never came to that, he called us two days later and said that is was a BUG to Support SSH and Telnet on the WAP321 and it was never designed to be a Feature.
  So i guess we have following options:
  1.Bring back the SSH Support for the Wap321 in the next Firmware update
  2.Provide Firmware version 1.0.0.3
  3.Give me a Workaround for my task
  So any help would be appreciated and i hope we are not the only ones that would like to see a comeback of this feature.
  In hope for comments
  Best wish
  Fabian Schwarz
  (PTA-Support)
  PS: Support Ticket was
  624972937

  No Sir I do not.
  According to the response from L2:
  SSH is only enabled for customer to use it on switches.
  Developers normally do not allow SSH (enable or protect with password) for end
  user on any Wireless device. Management is done by web interface.
  In this particular case SSH was enabled only due to some bugs which were
  monitored during first release so it is not meant to be for end user.
  Because of particular security risks, SSH is for troubleshooting by developers.
  Currently there is no chance that they would issue any official firmware for this as
  well as there is a little chance they would create special firmware for just a few
  customers.
  I am sorry for any inconvenience that this has caused.
  Eric Moyers
  If you like you can roll the mouse over my picture and get my actual email address and contact me directly.

• Unable to Telnet / SSH to a particular cisco switch

  Hello,
  I have an unusual issue that I just can't seem to track down.  We have a Windows Server 2008 R2 box that is unable to telnet or ssh to one switch in our network.
  Server IP:  10.0.0.74
  Cisco Switch IP:  10.1.0.7
  I am able to access all other switches/routers on the 10.1.0.x network, but not this one.  I ping and tracert by ip address and name.
  We have a number other servers on our network and they all can access this switch
  Example:  
  a.  10.0.0.73 can telnet/ssh to 10.1.0.7
  b.  10.0.0.72  can telnet/ssh to 10.1.0.7
  c.  10.0.0.50  can telnet/ssh to 10.1.0.7
  d.  My workstation (10.0.250.213) can telnet/ssh to 10.1.0.7
  If anyone can help with troubleshooting further, I would greatly appreciate it.

  Thanks for the reply Philippe!  Here is the route print
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0         10.0.0.2        10.0.0.74    266
           10.0.0.0      255.255.0.0         On-link         10.0.0.74    266
          10.0.0.74  255.255.255.255         On-link         10.0.0.74    266
       10.0.255.255  255.255.255.255         On-link         10.0.0.74    266
          10.10.0.0      255.255.0.0         On-link         10.0.0.74    266
         10.10.0.74  255.255.255.255         On-link         10.0.0.74    266
      10.10.255.255  255.255.255.255         On-link         10.0.0.74    266
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link         10.0.0.74    266
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link         10.0.0.74    266
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0         10.0.0.2  Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
   If Metric Network Destination      Gateway
    1    306 ::1/128                  On-link
    1    306 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
    None
  Firewall is disabled and there is no active antivirus.  Im pretty sure port blocking is not the issue.  I am able to ssh and telnet from this box to every other switch/router in our network.
  This server has Solarwinds on it and tracks the health of our network (servers, routers, switches, ups, ect.).  The only reason we noticed an issue is because it stopped backing up the config for this particular switch.  All other switchs/routers
  config is backed up to this server every morning at 2:00AM.  
  With solarwinds, this server is also able to communicate with this switch via snmp / icmp and ping.
  Thanks again for the help!

• Transport input telnet ssh help

  Hello,
  I had two questions about remotely login to switch or router :
  1. What is the default setting on switch or router to accept remote login (i.e., telnet or ssh)
  2. If i configure...TRANSPORT INPUT TELNET SSH... which one is default and accepted first by switch or router. I mean I know that it will accept both but I want to know that If I configure both to accept then which one has the first priority or by default which one is accepted first, tenet or ssh.
  Thanks

  1) Default settings on all VTYs are "transport input all" --> all the supported protocols, that includes both telnet and ssh.
  2) There is no priority level on which one is accepted first. Basically it just listens on both protocols (telnet - tcp/23 and ssh - tcp/22) for remote management.
  Here is the command description for your reference:
  http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219
  Hope that helps.

• Telnet/SSH access

  I am unable to telnet or ssh to a router from internet (LAN works fine). I see following in debug logs on the router
  *Jun  7 12:19:22: TCP0: state was LISTEN -> SYNRCVD [22 -> <Outside IP removed>(59121)]
  *Jun  7 12:19:22: TCP: tcb 85455EE8 connection to <Outside IP removed>:59121, peer MSS 1260, MSS is 516
  *Jun  7 12:19:22: TCP: sending SYN, seq 1340633744, ack 114092318
  *Jun  7 12:19:22: TCP0: Connection to <Outside IP removed>:59121, advertising MSS 536
  *Jun  7 12:19:22: TCP0: RST received, Closing connection
  *Jun  7 12:19:22: TCP0: state was SYNRCVD -> CLOSED [22 -> <Outside IP removed>(59121)]
  *Jun  7 12:19:22: tcp0: T CLOSED <Outside IP removed>:59121 <Telnet Host IP removed>:22 early close
  *Jun  7 12:19:22: TCB 0x85455EE8 destroyed
  Is it something to do with mss?
  Any help would be greatly appreciated.

  Hi sajidilyas,
  Have you solved the issue?
  In my case, It's seems caused by asymetric routing. CMIIW
  I'm still waiting for next testing.

• ASR 5000 access list for ssh and telnet

  Dears,
  how can we  apply an access list for telnet and ssh on asr 5k ?
  please advise if this is feasible.
  thx.

  Hello Joseph,
  Sorry for the delay in response.
  To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
  For example:
  config
  context local
  no server telnetd
  #exit
  System Administration Guide of the relevant version will give you detailed information in this regard.
  Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
  You can find other guides here:  http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
  Hope this helps..
  Regards
  Aneesh

• No exit: CDE with ssh  - telnet is ok

  Hi
  We use SGD 4.2 on Sol10 Sparc. The CDE Sessions (Solaris Sparc) work great, but when we switch from telnet to ssh as 'connection method', the Sessions remains open after clicking 'exit'. The 'keep launch connection open' is greyed (not changeable) but active for 'connexction method'=SSH.
  With 'telnet' the 'exit' works nice.
  any ideas ?
  Thanks
  Carsten

  Very old problem! Sorry to say.
  This is one of the thinks I never was able to solve.
  The reason is, that CDE cannot terminat, because a CDE relevent programm is still working.
  I have a work-a-round for that: http://www.tbsol.de/de/modules/news/article.php?storyid=61