Tags: ,


Notable Replies

  1. Hi Rene,

    I have always done this using the command:

    ip http secure-server

    And then:

    control-plane host
      management-interface FastEthernet0/0 allow ftp https ssh tftp snmp
    

    And:

    transport input ssh

    I tried it the way you show by generating the crypto key as you have shown above and using the control-plane host lines and it seems to achieve the same results without specifying transport input ssh on the VTY lines. You can only SSH into the router. Is this achieving the same end? The only difference I can see by using your method and issuing a sh run is you don’t get the following output:

    crypto pki trustpoint TP-self-signed-232639783
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-232639783
     revocation-check none
     rsakeypair TP-self-signed-232639783
    !
    !
    crypto pki certificate chain TP-self-signed-232639783
     certificate self-signed 01
      30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
    .
    . (14 more lines of hex)
    . 
      6915529D 797D5C61 FB5EA16D 6C8996CE E3C8B88C DFBF6DE4 0FFAB54F D73B2F60 
      C60CA794 AB67E712 12516124 7A
            quit
    

    Which is good as this clutters the screen. Is there any command to use to show the crypto key? I’ve included my full config below.

    Matt.

    R1843# sh run 
    Building configuration...
    
    Current configuration : 2222 bytes
    !
    ! Last configuration change at 17:24:16 Sydney Thu Sep 8 2016 by admin
    ! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
    ! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
    version 15.1
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname R1843
    !
    boot-start-marker
    boot system flash c1841-adventerprisek9-mz.151-4.M10.bin
    boot-end-marker
    !
    !
    logging buffered 4096
    no logging console
    enable secret 5 $1$RF5I$AqJBlcOiKCsYPpJ212XM0.
    !
    no aaa new-model
    !
    clock timezone Sydney 10 0
    clock summer-time sydney date Oct 2 2016 2:00 Apr 2 2017 2:00
    clock calendar-valid
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    !
    ip cef
    no ip domain lookup
    ip domain name bde.local
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    crypto pki token default removal timeout 0
    !
    !
    !
    !
    license udi pid CISCO1841 sn FHK12392C83
    vtp version 2
    username admin privilege 15 view root password 7 032C524B1207245E4B
    !
    redundancy
    !
    !
    ip ssh version 2
    ! 
    !
    !
    !
    !
    !
    !
    interface Loopback0
     ip address 1.8.4.3 255.255.255.255
    !
    interface FastEthernet0/0
     ip address 192.168.1.3 255.255.255.0
     speed 100
     full-duplex
    !
    interface FastEthernet0/1
     no ip address
     speed 100
     full-duplex
    !
    interface Dot11Radio0/0/0
     no ip address
     shutdown
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    !
    interface ATM0/1/0
     no ip address
     shutdown
     no atm ilmi-keepalive
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    !
    !
    !
    !
    !
    !
    !
    control-plane host
     management-interface FastEthernet0/0 allow ftp https ssh tftp snmp 
    !
    !
    control-plane
    !
    !
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
     length 512
     width 100
     history size 25
     escape-character 3
     stopbits 1
    line aux 0
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     login local
     terminal-type exit
     length 0
     width 250
     history size 25
     transport input all
     escape-character 3
    line vty 5 15
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     login local
     terminal-type exit
     length 0
     width 250
     history size 25
     transport input all
     escape-character 3
    !
    scheduler allocate 20000 1000
    end
    
    R1843#
  2. Hello Matt!

    The way that you implement your configuration achieves something similar, but not exactly the same as that which Rene has done in his example.

    Rene’s example applies SSH on the VTY line. This means that you can connect to the device via SSH from any of its interfaces to the VTY connections. In your configuration, you are binding the ssh configuration only to the management interface. This of course is a legitamite configuration assuming you only apply out of band management, and if it works for you that’s great.

    Also, in your configuration the ip http secure-server is not necessary for the ssh portion of the connectivity that you provide as this allows HTTPS, that is, port 443.

    As for a command that allows you to view the crypto key, take a look at these two commands:

    show crypto key mypubkey rsa
    and
    show crypto key pubkey-chain rsa

    You can learn more about them at this Cisco CLI reference guide:
    http://www.cisco.com/en/US/products/ps6017/products_command_reference_chapter09186a00808ab5a9.html#wp1010372
    http://www.cisco.com/en/US/products/ps6017/products_command_reference_chapter09186a00808ab5a9.html#wp1010509

    I hope this has been helpful!

    Laz

  3. Hello Petr

    That’s a great idea. I will convey it to Rene to see if that can be added.

    Thanks!

    Laz

  4. Hello Muhammad

    The command initiated on the VTY line configuration is transport input ssh. This indicates that only the SSH protocol will be used for incoming CLI management requests. If we use transport output ssh, then we are specifying the protocol that will be used when this VTY line is used as a client to connect to another SSH server. Such a configuration is possible, cut is not often implemented.

    I hope this has been helpful!

    Laz

Continue the discussion forum.networklessons.com

5 more replies!

Participants