1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Setting Up SSH and Telnet Access To A CISCO IOS Router

Discussion in 'Other Cisco Equipment' started by DocLarge, Jun 17, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    Big thanks goes to the "Most Excellent CISCO Guy" Eric_Stewart for this latest installation of CISCO IOS configuration guidelines...
    -----------------------------------------------------------------------------------------------------------------

    Access lists will control traffic going *through* your 871W...not *to* it. That said, here's what you need:

    Step (1) Set up vty's for dialin telnet and ssh:
    --------------------------------------------
    Router(config)#line vty 0 4
    Router(config-line)#privilege level 15
    Router(config-line)#login local
    Router(config-line)#transport input telnet ssh

    Explanation: line interfaces vty 0 through 4 are the virtual terminal interfaces *to* your device. When you telnet to the 871W you are using thes lines. The commands above will: 1) select the interfaces then 2) allow users in a local database that you set up separately to SSH and telnet to your 871W.

    Step (2) Set up a user/password database:
    ------------------------------------------
    Router(config)#username testuser privilege 15 password W0n'tF0r5etTh15

    Step (3) Set an enable password
    ---------------------------------
    Finally, there's a security feature on all Cisco routers that requires that the enable password be set before you can telnet/ssh to the router....regardless of whether you've done all the above:

    Router(config)#enable secret 5up3r53cr3t

    Now you should be telnet to your router, but (and here's the kicker) *not* SSH to it. You now need to setup encryption keys.

    Step (4) Set up an RSA key pair:
    ---------------------------------
    [sidebar: 1st you have to setup a hostname and domain name since the keys are generated based on these values]

    Router(config)#hostname DoogiesRouter
    DoogiesRouter(config)#ip domain-name example.com

    ...then generate the keys:
    DoogiesRouter(config)#crypto key generate rsa

    ...the output will look something like this:
    <begin output>
    The name for the keys will be: DoogiesRouter.example.com
    Choose the size of the key modulus in the range of 360 to 2048for your General Purpose Keys. Choosing a key modulus greater than512 may take a few minutes.
    How many bits in the modulus [512]: 768
    % Generating 768 bit RSA keys ...[OK]
    DoogiesRouter(config)#
    *Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled
    DoogiesRouter(config)#
    <end output>

    Don't forget to save your configuration file.

    Additionally:
    ----------------
    This is the most rudimentary of configurations and doesn't create any policies as to who should be allowed to access your vty's. You might consider creating an access-list which restricts access to a specific range of *source* IP addresses, then apply it to the vty's (NOT the physical interfaces) to restrict access. The example below restricts access such that only the subnet 172.16.32.0/24 can access your vty's. (IOS routers use inverse masks).

    DoogiesRouter(config)#access-list 2 permit 172.16.32.0 0.0.0.255
    DoogiesRouter(config)#line vty 0 4
    DoogiesRouter(config-line)#access-class 2 in
Thread Status:
Not open for further replies.

Share This Page