Cisco 837 e Telnet/Ssh dall' interno

[darkm20]

Ciao a tutti:

Non riesco a usare ssh e telnet verso l'esterno da questo 837 (guardate in fondo):

Codice: Seleziona tutto

Using 2246 out of 131072 bytes, uncompressed size = 3855 bytes
Uncompressed configuration from 2246 bytes to 3855 bytes
!
! Last configuration change at 00:20:07 BST Tue Apr 11 2006 by admin
! NVRAM config last updated at 00:20:10 BST Tue Apr 11 2006 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Router
!
security authentication failure rate 3 log
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxx
clock timezone GMT 1
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
no aaa new-model
ip subnet-zero
ip tcp synwait-time 10
no ip domain lookup
ip domain name test.it
!
!
no ip bootp server
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 smtp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
 class-map match-any voice-control
  match access-group name voice-control
 class-map match-all voice
  match ip rtp 16384 16383
!
!
 policy-map VOICE
  class voice
   priority percent 50
  class voice-control
   bandwidth 30
  class class-default
   fair-queue
!
!
!
interface Ethernet0
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 bandwidth 256
 ip address 85.20.20.10 255.255.255.224
 ip access-group 101 in
 ip nat outside
 ip inspect DEFAULT100 out
 service-policy output VOICE
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.0.10 5060 interface Dialer0 5060
ip nat inside source static tcp 10.0.0.5 23456 interface Dialer0 23456
ip nat inside source static udp 10.0.0.5 4672 interface Dialer0 4672
ip nat inside source static tcp 10.0.0.5 4662 interface Dialer0 4662
ip nat inside source static tcp 10.0.0.5 4711 interface Dialer0 4711
ip nat inside source static udp 10.0.0.10 4569 interface Dialer0 4569
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended nat
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended voice-control
 permit tcp any any eq 5060
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp host 193.204.114.232 eq ntp any eq ntp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 22
access-list 101 deny   ip any any log
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 password 7 01181209085F56
 login local
 transport preferred none
 transport input ssh
 transport output none
!
scheduler max-task-time 5000
sntp server 193.204.114.232
!
end

quindi:

Router#ssh 10.0.0.10
% ssh connections not permitted from this terminal
Router#telnet 10.0.0.10
% telnet connections not permitted from this terminal

[andrewp]

Uno sh ver?Se scrivi "ss" e premi TAB, ti completa il comando?

[darkm20]

Certo!

Codice: Seleziona tutto

Cisco Internetwork Operating System Software 
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:13 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B93040

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Router uptime is 1 week, 4 days, 10 hours, 59 minutes
System returned to ROM by power-on
System restarted at 14:02:25 BST Sun Apr 2 2006
System image file is "flash:c837-k9o3y6-mz.123-2.XC2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

CISCO C837 (MPC857DSL) processor (revision 0x500) with 44237K/4915K bytes of memory.
Processor board ID AMB082505W5 (1657964016), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

ss[tab] -> ssh xxxxxx

Grazie!

[andrewp]

Forse ho trovato l' inghippo

Codice: Seleziona tutto

Prerequisites
The SSH client functionality is available only when the SSH server is enabled. The instructions for configuring and enabling the Cisco IOS SSH server are available in the Secure Shell Version 1 Support feature module for Cisco IOS Release 12.1(1)T. 

The SSH client requires you to have an IPSec (DES or 3DES) encryption software image from Cisco IOS Release 12.1(3)T loaded on your Cisco network device. 

Prova e fammi sapere...

[darkm20]

Ciao,

scusa mi sono dimenticato di dire che prima che inserissi questa configurazione funzionavano tutti e due. Ora non più.

Tra l'altro al router mi collego tramite SSH, quindi il server ssh interno funziona. Il problema è sui client Telnet e SSH interni al router.

Non ancora sono riuscito a capire da cosa dipende, dovrei riportare la configurazione a zero e reinserire passo passo provando a vedere se cambia qualcosa, ma pensavo che qualcuno l'avrebbe capito subito.

Grazie per il tuo aiuto!