Re: SSH username and password only option
- From: Lester Lane <james@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 May 2008 03:13:43 -0700 (PDT)
On 29 May, 22:04, Lester Lane <ja...@xxxxxxxxxxxxxxxxxxxxx> wrote:
On May 29, 8:05 pm, Trendkill <jpma...@xxxxxxxxx> wrote:
On May 29, 2:44 pm, Lester Lane <ja...@xxxxxxxxxxxxxxxxxxxxx> wrote:
I am trying to rebuild my 857 and can config fine under the 10.10.10.1
ip. When I log off and on again I am presented with a "normal" user
and pwd option - which works fine. When I change the ip address and
then log on again I only get a SSH option which I have not configured
nor can I find a way to close this option down or set a name and
password. Cisco help is about as much good as a poke in the eye so
help would be a welcome break. Thanks
Please paste config (minus IP specifics and passwords), and clearly
identify what you are changing when it starts to not work as expected.
Unfortunately I won't be onsite until Monday. All I did was set up
the Dialer0 and VLAN1, DNS and DHCP for the real lan rather than
10.10.10.1 I also added my username/pwd and removed cisco. Saved
config, logged out, logged in ok. Then changed the ip of the VLAN1
expecting to lose connection. Reconfig of lan and the login was now
SSH mode.
PS Is there any way of importing a previously saved config from a txt
file?
Here is the FULL script - this also prompted me for the SSH details:
!This is the running config of the router: [ROUTER IP]
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname [ROUTER NAME]
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 BLAH
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address [LAN IP].0 [LAN IP].200
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name [DOMIAN NAME]
ip name-server 158.152.1.58
ip name-server 158.152.1.43
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2000297664
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2000297664
revocation-check none
rsakeypair TP-self-signed-2000297664
!
!
crypto pki certificate chain TP-self-signed-2000297664
certificate self-signed 01
[CERTIFICATE HEX]
quit
username james privilege 15 secret 5 BLAH
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp identity dn
!
crypto isakmp client configuration group [GROUP NAME]
key [KEY]
wins [LAN IP].200
domain [DOMAIN NAME]
pool SDM_POOL_1
acl 103
pfs
netmask [MASK]
crypto isakmp profile VPNclient
match identity group [GROUP NAME]
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
keepalive 60 retry 5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile VPNclient
reverse-route
!
!
crypto map crypto_map 65535 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption key 2 size 128bit 7 BLAH transmit-key
encryption mode wep mandatory
!
ssid [SSID]
authentication open
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2457
station-role root
l2-filter bridge-group-acl
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address [ISP IP] [MASK]
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [HOSTNAME]
ppp chap password 7 [PWD]
crypto map crypto_map
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address [ROUTER IP] [MASK]
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 [DIFF IP] [DIFF IP +5]
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map INSIDE_MAP interface Dialer0 overload
!
logging trap debugging
access-list 1 remark MANAGEMENT ACCESS!
access-list 1 permit [LAN IP].22
access-list 100 remark Inside interface ACL
access-list 100 deny ip 80.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark Dialer interface firewall
access-list 102 permit udp host 158.152.1.43 eq domain host [ISP IP]
access-list 102 permit udp host 158.152.1.58 eq domain host [ISP IP]
access-list 102 deny ip [LAN IP].0 0.0.0.255 any
access-list 102 permit icmp any host [ISP IP] echo-reply
access-list 102 permit icmp any host [ISP IP] time-exceeded
access-list 102 permit icmp any host [ISP IP] unreachable
access-list 102 permit udp any host [ISP IP] eq isakmp
access-list 102 permit udp any host [ISP IP] eq non500-isakmp
access-list 102 permit esp any host [ISP IP]
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark EzVPNclient route
access-list 103 permit ip [LAN IP].0 0.0.0.255 any
access-list 104 deny ip [LAN IP].0 0.0.0.255 [DIFF IP].0 0.0.0.255
access-list 104 permit ip [LAN IP].0 0.0.0.255 any
access-list 105 remark Dialer interface firewall with remote access
access-list 105 permit udp host 158.152.1.43 eq domain host [ISP IP]
access-list 105 permit udp host 158.152.1.58 eq domain host [ISP IP]
access-list 105 deny ip [LAN IP].0 0.0.0.255 any
access-list 105 permit tcp host 217.35.96.225 host [ISP IP] eq 22
access-list 105 permit icmp any host [ISP IP] echo-reply
access-list 105 permit icmp any host [ISP IP] time-exceeded
access-list 105 permit icmp any host [ISP IP] unreachable
access-list 105 permit udp any host [ISP IP] eq isakmp
access-list 105 permit udp any host [ISP IP] eq non500-isakmp
access-list 105 permit esp any host [ISP IP]
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 700 permit 0001.e694.aa0a 0000.0000.0000
access-list 700 permit 0030.6ed1.32d3 0000.0000.0000
dialer-list 1 protocol ip permit
no cdp run
route-map INSIDE_MAP permit 10
match ip address 104
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 1 in
exec-timeout 0 0
logging synchronous
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
.
- Follow-Ups:
- Re: SSH username and password only option
- From: Trendkill
- Re: SSH username and password only option
- References:
- SSH username and password only option
- From: Lester Lane
- Re: SSH username and password only option
- From: Trendkill
- Re: SSH username and password only option
- From: Lester Lane
- SSH username and password only option
- Prev by Date: Re: Tunnel trafic in a MPLS , 1 Gigabit connection
- Next by Date: Re: SSH username and password only option
- Previous by thread: Re: SSH username and password only option
- Next by thread: Re: SSH username and password only option
- Index(es):
Relevant Pages
|
|
