Need to lock down remote access to my Cisco, I dont want to use telnet but dont have SSH :(

[DJMK4]

As above really, at home I have

Netgear --- Cisco ----LAN1 / LAN2

Now at the moment to manage remotely I have telnet enabled with a strong password, however as most of you are aware telnet traffic is not encrypted and quite a security threat.

What I have done for the moment is open up telnet ports from my IP range in work so I can get to it from there, without having anyone else being able to jump in.

With regards to SSH, iv read up on a few sites and even tried enabling SSH but im not sure if my router is capable of it, however there are documents I found on the web contradicing what I read saying yes I can be done but its an earlier version.

Here is my show version output

morandarouter1>show version
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-Y7-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 24-Jan-07 15:39 by ccai
Image text-base: 0x8000816C, data-base: 0x80B99150

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-Y7-M), Version 12.3(22), RELEASE SOFTWARE (fc2)

morandarouter1 uptime is 2 days, 22 hours, 44 minutes
System returned to ROM by power-on
System restarted at 23:32:13 UTC Wed Aug 19 2009
System image file is "flash:y"

cisco 1720 (MPC860T) processor (revision 0x601) with 27656K/5112K bytes of memory.
Processor board ID JAD05350SP6 (3674387206), with hardware revision 0000
MPC860T processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)

Any help appriciated, I would rather be able to use SSH

 

[Rroff]

Have you tried connecting with an SSH client (putty) to port 22? Usually if you enable remote console access both telnet and SSH are enabled by default.

 

[DJMK4]

It wont let me in over the SSH ports no, iv tried following the guide and using the cryptokey command which sets up the SSH but its not working

When I enabled telnet I used the commands

ExampleName(config)#line vty 0 4
ExampleName(config-line)#login
ExampleName(config-line)#password (enter password)
ExampleName(config)#ctrl-z

 

[Styles]

Have you tried using the command 'transport input ssh'?

Sounds like you've already created the keys using the 'crypto key generate rsa' command followed by the say 1024 bit keys.

*You'll need 'transport input all' if you still want to be able to use telnet.

So for example:

ROUTER>en
ROUTER#conf t
ROUTER(config)#hostname Bob
BOB(config)#ip domain name Bob.cisco
BOB(config)#crypto key generate rsa

How many bits in the modulus [512]: 1024
Generating keys etc [OK]

Bob(config)#line vty 0 4 (or 0 15 depending on model)
Bob(config-line)#password cisco
Bob(config-line)#login
Bob(config-line)#transport input ssh


That's just an example.

 

[DJMK4]

Have you tried using the command 'transport input ssh'?

Sounds like you've already created the keys using the 'crypto key generate rsa' command followed by the say 1024 bit keys.

*You'll need 'transport input SSH telnet' if you still want to be able to use telnet.

I got an error when I tried to create the crypto key, cant remember what it was as it was a few weeks ago since I attempted it but ill try it again and will post back with the error it gives me

 

[Styles]

To create the keys the hostname needs to be different from 'ROUTER' and you need to have joined a domain.

Let me know how you get on.

Cheers

 

[DJMK4]

the hostname was changed when I configured it first off, not sure if iv joined a domain though?

 

[Styles]

give it a go, should make the difference:

Bob(config)#ip domain name bob.cisco

As an example

 

[DJMK4]

Cool I shall give this a go later and ill post results back

 

[DJMK4]

Dont think its going to work I keep getting the below error when trying to generate a key, everythings been configured as it should be.

morandarouter1#show ip ssh
                        ^
% Invalid input detected at '^' marker.

morandarouter1#crypto key generate rsa
                ^
% Invalid input detected at '^' marker.

morandarouter1#crypto key generate rsa
                ^
% Invalid input detected at '^' marker.

morandarouter1#morandarouter1>show ip ssh
                  ^
% Invalid input detected at '^' marker.

 

[SoundsGood]

AFAIK you need to be in global configuration mode to run the generate command (config t)

 

[DJMK4]

Nope still doing the same

 

[Yamahahahahaha]

You need a k9 (security) IOS I think.
I can never tell with all the different features of each IOS / Revision / Train.

 

[DJMK4]

Oh well,

I will just have to use telnet for now and just have my firewall blocking telnet ports until I need to use it, then log on to my router and open the ports but lock it down to the specific IP address that im using at the time.

When im finished I will close the ports on the firewall.

 

[SoundsGood]

If you're feeling very, very sad you could SSH into a host within your LAN, then telnet to the router from there?

 

[DJMK4]

If you're feeling very, very sad you could SSH into a host within your LAN, then telnet to the router from there?

That could be done I suppose, when my windows server 2003 server is fixed

 

[DJMK4]

They are providing me with an IOS image in work which will resolve this issue

 

[matthab]

Know you have solved it but a VPN could do the same?

 

[Chief Wiggum]

The router wouldn't support VPN termination without a crypto image, only VPN pass through to something like a win2k3 server which he has - it's just broken

 

[DJMK4]

Server is fixed and I have got an SSH server running on it if I need to use it as a backup method. However now I will be getting the IOS image I dont really need it.

Will let you know when I get the new image on the Cisco.