Setting Up SSH and Telnet Access To A CISCO IOS Router

Discussion in 'Other Cisco Equipment' started by DocLarge, Jun 17, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    Big thanks goes to the "Most Excellent CISCO Guy" Eric_Stewart for this latest installation of CISCO IOS configuration guidelines...

    Access lists will control traffic going *through* your 871W...not *to* it. That said, here's what you need:

    Step (1) Set up vty's for dialin telnet and ssh:
    Router(config)#line vty 0 4
    Router(config-line)#privilege level 15
    Router(config-line)#login local
    Router(config-line)#transport input telnet ssh

    Explanation: line interfaces vty 0 through 4 are the virtual terminal interfaces *to* your device. When you telnet to the 871W you are using thes lines. The commands above will: 1) select the interfaces then 2) allow users in a local database that you set up separately to SSH and telnet to your 871W.

    Step (2) Set up a user/password database:
    Router(config)#username testuser privilege 15 password W0n'tF0r5etTh15

    Step (3) Set an enable password
    Finally, there's a security feature on all Cisco routers that requires that the enable password be set before you can telnet/ssh to the router....regardless of whether you've done all the above:

    Router(config)#enable secret 5up3r53cr3t

    Now you should be telnet to your router, but (and here's the kicker) *not* SSH to it. You now need to setup encryption keys.

    Step (4) Set up an RSA key pair:
    [sidebar: 1st you have to setup a hostname and domain name since the keys are generated based on these values]

    Router(config)#hostname DoogiesRouter
    DoogiesRouter(config)#ip domain-name

    ...then generate the keys:
    DoogiesRouter(config)#crypto key generate rsa

    ...the output will look something like this:
    <begin output>
    The name for the keys will be:
    Choose the size of the key modulus in the range of 360 to 2048for your General Purpose Keys. Choosing a key modulus greater than512 may take a few minutes.
    How many bits in the modulus [512]: 768
    % Generating 768 bit RSA keys ...[OK]
    *Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled
    <end output>

    Don't forget to save your configuration file.

    This is the most rudimentary of configurations and doesn't create any policies as to who should be allowed to access your vty's. You might consider creating an access-list which restricts access to a specific range of *source* IP addresses, then apply it to the vty's (NOT the physical interfaces) to restrict access. The example below restricts access such that only the subnet can access your vty's. (IOS routers use inverse masks).

    DoogiesRouter(config)#access-list 2 permit
    DoogiesRouter(config)#line vty 0 4
    DoogiesRouter(config-line)#access-class 2 in
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice