SSHD woes with Cisco router

Discussion in 'Cisco' started by David Arnstein, May 2, 2004.

  1. I have a little 806 router that I have been using at home as a NAT
    gateway, IP filter, firewall, and a few other functions. For over a
    year, everything was just great. I run an ssh daemon/server (sshd) on
    a peecee at home. My home "network" is super simple:

    +----------------+ +-----------+ +---------+ +------+
    |cable TV network|----|Cable modem|----|Cisco 806|---|peecee|
    +----------------+ +-----------+ +---------+ +------+

    Recently, I have lost the use of sshd. When I attempt to ssh to the
    peecee from the outside world, no joy. The sshd software acknowledges
    the attempt, and writes a complaint
    "Could not write ident string to 166.84.1.2"
    166.84.1.2 is the address that I'm running ssh from.

    If I remove the Cisco 806 from the above chain, then sshd works fine.
    Perhaps my config spec got messed up somehow?

    When I do "show ver" on my Cisco 806, it says
    -----------------------------------------------------------------------
    Cisco IOS Software, C806 Software (C806-O3SY6-M), Version 12.3(4)T4,
    RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2004 by Cisco Systems, Inc.
    Compiled Thu 11-Mar-04 18:57 by eaarmas

    ROM: System Bootstrap, Version 12.2(4r)XM3, RELEASE SOFTWARE (fc1)

    OwlX uptime is 4 minutes
    System returned to ROM by reload at 14:14:08 PDT Sun May 2 2004
    System restarted at 14:15:36 PDT Sun May 2 2004
    System image file is "flash:c806-o3sy6-mz.123-4.T4.bin"

    Cisco C806 (MPC855T) processor (revision 0x501) with 30720K/2048K
    bytes of memory.
    Processor board ID VMS0640052K (948158724), with hardware revision
    0000
    CPU rev number 0
    2 Ethernet interfaces
    128K bytes of NVRAM.
    8192K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102
    -----------------------------------------------------------------------

    I have cut out a lot of stuff from my config in order to troubleshoot
    the problem. Is there anything obviously wrong with it? In the
    following config spec, 192.168.0.3 is the fixed IP address for peecee.
    Here is the config spec:
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    version 12.3
    no service pad
    no cdp run
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption

    hostname OwlX
    username david
    clock timezone PT -8
    clock summer-time PDT recurring
    logging 192.168.0.3

    ip dns server
    ip subnet-zero
    ip dhcp excluded-address 192.168.0.1 192.168.0.3

    ip dhcp pool CLIENT
    import all
    network 192.168.0.0 255.255.255.0
    dns-server 192.168.0.1
    default-router 192.168.0.1
    lease 0 2

    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip inspect name myfw http timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw rtsp timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15

    ip audit notify log



    interface Ethernet0
    ip address 192.168.0.1 255.255.255.0
    ip access-group 166 in
    ip nat inside
    no cdp enable
    hold-queue 32 in
    hold-queue 100 out
    exit

    interface Ethernet1
    ip address dhcp client-id Ethernet1
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    no cdp enable
    exit

    ! Note: ports 22, 1387 are for ssh. Port 9 for WOL. 514 is for rsh (cmd).
    ip nat inside source list 102 interface Ethernet1 overload
    ip nat inside source static tcp 192.168.0.3 6000 interface Ethernet1 6000
    ip nat inside source static tcp 192.168.0.3 22 interface Ethernet1 22
    ip nat inside source static tcp 192.168.0.3 1387 interface Ethernet1 1387
    ip nat inside source static udp 192.168.0.3 9 interface Ethernet1 9
    ip classless
    ip http server

    access-list 111 permit ip any any log

    access-list 23 permit 192.168.0.0 0.0.0.255
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any

    ! Let everything in
    access-list 166 permit ip any any log

    line con 0
    exec-timeout 120 0
    stopbits 1
    transport preferred none
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    transport preferred none

    scheduler max-task-time 5000

    ntp server 216.218.192.202
    ntp server 207.126.97.57
    ntp server 216.218.254.202
    ntp server 204.74.68.55
    ntp server 216.27.190.202

    end
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Thanks for any suggestions!
    --
    David Arnstein
     
    David Arnstein, May 2, 2004
    #1
    1. Advertising

  2. I have made partial progress troubleshooting this problem. I recently
    upgraded my IOS to c806-o3sy6-mz.123-4.T4.bin due to security issues.
    If I downgrade my IOS to the previous version that I had, which is
    cisco_c806-o3sy6-mz.122-13.ZH.bin, then I can run sshd on my peecee
    again. So I think that the new IOS c806-o3sy6-mz.123-4.T4.bin is the
    problem.

    Is this a known problem? Is there a work-around? Perhaps I have to
    change my config file?

    Thanks again for any suggestions!
    --
    David Arnstein
     
    David Arnstein, May 3, 2004
    #2
    1. Advertising

  3. David Arnstein

    Bill F Guest

    Not sure this is relevant, but, when I loaded up one of the tcp
    vulnerability "fixed" images, 12.2(23a), it broke ssh acces, but not all
    access from the outside. You might want to inquire at TAC

    David Arnstein wrote:
    > I have a little 806 router that I have been using at home as a NAT
    > gateway, IP filter, firewall, and a few other functions. For over a
    > year, everything was just great. I run an ssh daemon/server (sshd) on
    > a peecee at home. My home "network" is super simple:
    >
    > +----------------+ +-----------+ +---------+ +------+
    > |cable TV network|----|Cable modem|----|Cisco 806|---|peecee|
    > +----------------+ +-----------+ +---------+ +------+
    >
    > Recently, I have lost the use of sshd. When I attempt to ssh to the
    > peecee from the outside world, no joy. The sshd software acknowledges
    > the attempt, and writes a complaint
    > "Could not write ident string to 166.84.1.2"
    > 166.84.1.2 is the address that I'm running ssh from.
    >
    > If I remove the Cisco 806 from the above chain, then sshd works fine.
    > Perhaps my config spec got messed up somehow?
    >
    > When I do "show ver" on my Cisco 806, it says
    > -----------------------------------------------------------------------
    > Cisco IOS Software, C806 Software (C806-O3SY6-M), Version 12.3(4)T4,
    > RELEASE SOFTWARE (fc2)
    > Technical Support: http://www.cisco.com/techsupport
    > Copyright (c) 1986-2004 by Cisco Systems, Inc.
    > Compiled Thu 11-Mar-04 18:57 by eaarmas
    >
    > ROM: System Bootstrap, Version 12.2(4r)XM3, RELEASE SOFTWARE (fc1)
    >
    > OwlX uptime is 4 minutes
    > System returned to ROM by reload at 14:14:08 PDT Sun May 2 2004
    > System restarted at 14:15:36 PDT Sun May 2 2004
    > System image file is "flash:c806-o3sy6-mz.123-4.T4.bin"
    >
    > Cisco C806 (MPC855T) processor (revision 0x501) with 30720K/2048K
    > bytes of memory.
    > Processor board ID VMS0640052K (948158724), with hardware revision
    > 0000
    > CPU rev number 0
    > 2 Ethernet interfaces
    > 128K bytes of NVRAM.
    > 8192K bytes of processor board System flash (Read/Write)
    > 2048K bytes of processor board Web flash (Read/Write)
    >
    > Configuration register is 0x2102
    > -----------------------------------------------------------------------
    >
    > I have cut out a lot of stuff from my config in order to troubleshoot
    > the problem. Is there anything obviously wrong with it? In the
    > following config spec, 192.168.0.3 is the fixed IP address for peecee.
    > Here is the config spec:
    > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    > version 12.3
    > no service pad
    > no cdp run
    > service timestamps debug datetime localtime show-timezone
    > service timestamps log datetime localtime show-timezone
    > service password-encryption
    >
    > hostname OwlX
    > username david
    > clock timezone PT -8
    > clock summer-time PDT recurring
    > logging 192.168.0.3
    >
    > ip dns server
    > ip subnet-zero
    > ip dhcp excluded-address 192.168.0.1 192.168.0.3
    >
    > ip dhcp pool CLIENT
    > import all
    > network 192.168.0.0 255.255.255.0
    > dns-server 192.168.0.1
    > default-router 192.168.0.1
    > lease 0 2
    >
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > ip inspect name myfw http timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw rtsp timeout 3600
    > ip inspect name myfw smtp timeout 3600
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip inspect name myfw udp timeout 15
    >
    > ip audit notify log
    >
    >
    >
    > interface Ethernet0
    > ip address 192.168.0.1 255.255.255.0
    > ip access-group 166 in
    > ip nat inside
    > no cdp enable
    > hold-queue 32 in
    > hold-queue 100 out
    > exit
    >
    > interface Ethernet1
    > ip address dhcp client-id Ethernet1
    > ip access-group 111 in
    > ip nat outside
    > ip inspect myfw out
    > no cdp enable
    > exit
    >
    > ! Note: ports 22, 1387 are for ssh. Port 9 for WOL. 514 is for rsh (cmd).
    > ip nat inside source list 102 interface Ethernet1 overload
    > ip nat inside source static tcp 192.168.0.3 6000 interface Ethernet1 6000
    > ip nat inside source static tcp 192.168.0.3 22 interface Ethernet1 22
    > ip nat inside source static tcp 192.168.0.3 1387 interface Ethernet1 1387
    > ip nat inside source static udp 192.168.0.3 9 interface Ethernet1 9
    > ip classless
    > ip http server
    >
    > access-list 111 permit ip any any log
    >
    > access-list 23 permit 192.168.0.0 0.0.0.255
    > access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    >
    > ! Let everything in
    > access-list 166 permit ip any any log
    >
    > line con 0
    > exec-timeout 120 0
    > stopbits 1
    > transport preferred none
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > login local
    > length 0
    > transport preferred none
    >
    > scheduler max-task-time 5000
    >
    > ntp server 216.218.192.202
    > ntp server 207.126.97.57
    > ntp server 216.218.254.202
    > ntp server 204.74.68.55
    > ntp server 216.27.190.202
    >
    > end
    > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    >
    > Thanks for any suggestions!
     
    Bill F, May 3, 2004
    #3
  4. David Arnstein

    Ben Guest

    I am curious that it worked without the 'transport input ssh' command on the
    vty lines...


    "David Arnstein" <> wrote in message
    news:c73pjp$5or$...
    > I have a little 806 router that I have been using at home as a NAT
    > gateway, IP filter, firewall, and a few other functions. For over a
    > year, everything was just great. I run an ssh daemon/server (sshd) on
    > a peecee at home. My home "network" is super simple:
    >
    > +----------------+ +-----------+ +---------+ +------+
    > |cable TV network|----|Cable modem|----|Cisco 806|---|peecee|
    > +----------------+ +-----------+ +---------+ +------+
    >
    > Recently, I have lost the use of sshd. When I attempt to ssh to the
    > peecee from the outside world, no joy. The sshd software acknowledges
    > the attempt, and writes a complaint
    > "Could not write ident string to 166.84.1.2"
    > 166.84.1.2 is the address that I'm running ssh from.
    >
    > If I remove the Cisco 806 from the above chain, then sshd works fine.
    > Perhaps my config spec got messed up somehow?
    >
    > When I do "show ver" on my Cisco 806, it says
    > -----------------------------------------------------------------------
    > Cisco IOS Software, C806 Software (C806-O3SY6-M), Version 12.3(4)T4,
    > RELEASE SOFTWARE (fc2)
    > Technical Support: http://www.cisco.com/techsupport
    > Copyright (c) 1986-2004 by Cisco Systems, Inc.
    > Compiled Thu 11-Mar-04 18:57 by eaarmas
    >
    > ROM: System Bootstrap, Version 12.2(4r)XM3, RELEASE SOFTWARE (fc1)
    >
    > OwlX uptime is 4 minutes
    > System returned to ROM by reload at 14:14:08 PDT Sun May 2 2004
    > System restarted at 14:15:36 PDT Sun May 2 2004
    > System image file is "flash:c806-o3sy6-mz.123-4.T4.bin"
    >
    > Cisco C806 (MPC855T) processor (revision 0x501) with 30720K/2048K
    > bytes of memory.
    > Processor board ID VMS0640052K (948158724), with hardware revision
    > 0000
    > CPU rev number 0
    > 2 Ethernet interfaces
    > 128K bytes of NVRAM.
    > 8192K bytes of processor board System flash (Read/Write)
    > 2048K bytes of processor board Web flash (Read/Write)
    >
    > Configuration register is 0x2102
    > -----------------------------------------------------------------------
    >
    > I have cut out a lot of stuff from my config in order to troubleshoot
    > the problem. Is there anything obviously wrong with it? In the
    > following config spec, 192.168.0.3 is the fixed IP address for peecee.
    > Here is the config spec:
    > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    > version 12.3
    > no service pad
    > no cdp run
    > service timestamps debug datetime localtime show-timezone
    > service timestamps log datetime localtime show-timezone
    > service password-encryption
    >
    > hostname OwlX
    > username david
    > clock timezone PT -8
    > clock summer-time PDT recurring
    > logging 192.168.0.3
    >
    > ip dns server
    > ip subnet-zero
    > ip dhcp excluded-address 192.168.0.1 192.168.0.3
    >
    > ip dhcp pool CLIENT
    > import all
    > network 192.168.0.0 255.255.255.0
    > dns-server 192.168.0.1
    > default-router 192.168.0.1
    > lease 0 2
    >
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > ip inspect name myfw http timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw rtsp timeout 3600
    > ip inspect name myfw smtp timeout 3600
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip inspect name myfw udp timeout 15
    >
    > ip audit notify log
    >
    >
    >
    > interface Ethernet0
    > ip address 192.168.0.1 255.255.255.0
    > ip access-group 166 in
    > ip nat inside
    > no cdp enable
    > hold-queue 32 in
    > hold-queue 100 out
    > exit
    >
    > interface Ethernet1
    > ip address dhcp client-id Ethernet1
    > ip access-group 111 in
    > ip nat outside
    > ip inspect myfw out
    > no cdp enable
    > exit
    >
    > ! Note: ports 22, 1387 are for ssh. Port 9 for WOL. 514 is for rsh

    (cmd).
    > ip nat inside source list 102 interface Ethernet1 overload
    > ip nat inside source static tcp 192.168.0.3 6000 interface Ethernet1 6000
    > ip nat inside source static tcp 192.168.0.3 22 interface Ethernet1 22
    > ip nat inside source static tcp 192.168.0.3 1387 interface Ethernet1 1387
    > ip nat inside source static udp 192.168.0.3 9 interface Ethernet1 9
    > ip classless
    > ip http server
    >
    > access-list 111 permit ip any any log
    >
    > access-list 23 permit 192.168.0.0 0.0.0.255
    > access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    >
    > ! Let everything in
    > access-list 166 permit ip any any log
    >
    > line con 0
    > exec-timeout 120 0
    > stopbits 1
    > transport preferred none
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > login local
    > length 0
    > transport preferred none
    >
    > scheduler max-task-time 5000
    >
    > ntp server 216.218.192.202
    > ntp server 207.126.97.57
    > ntp server 216.218.254.202
    > ntp server 204.74.68.55
    > ntp server 216.27.190.202
    >
    > end
    > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    >
    > Thanks for any suggestions!
    > --
    > David Arnstein
    >
     
    Ben, May 3, 2004
    #4
  5. David Arnstein

    Chris Thomas Guest

    In article <409617ef$>,
    says...
    > I am curious that it worked without the 'transport input ssh' command on the
    > vty lines...


    Absent a specific transport cmd, the default is input transport all.
     
    Chris Thomas, May 3, 2004
    #5
  6. In article <>,
    Bill F <> wrote:
    >Not sure this is relevant, but, when I loaded up one of the tcp
    >vulnerability "fixed" images, 12.2(23a), it broke ssh acces, but not all
    >access from the outside. You might want to inquire at TAC


    What does the vty line have to do with my problem? I'm not attempting
    to do ssh with the router as an endpoint. The endpoints are
    1. peecee (ssh server)
    2. a remote Unix system (ssh client)
    See diagram in original post.

    Please inform me if I am missing something here.

    By the way, I don't think the 806 router supports ssh on vty lines.
    --
    David Arnstein
     
    David Arnstein, May 3, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mikhael47

    Perimiter router woes

    Mikhael47, Jun 16, 2004, in forum: Cisco
    Replies:
    2
    Views:
    487
    Mikhael47
    Jun 16, 2004
  2. Snake

    D-Link router woes

    Snake, Dec 7, 2006, in forum: NZ Computing
    Replies:
    0
    Views:
    359
    Snake
    Dec 7, 2006
  3. Dane Beko

    Linksys router woes

    Dane Beko, Jan 20, 2008, in forum: Computer Support
    Replies:
    12
    Views:
    1,546
  4. why?

    Re: EEE 1000 w/XP still has no SSHD

    why?, Nov 10, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    512
  5. Becky

    Seagate 500GB SSHD Thin Hybrid Drive

    Becky, Apr 4, 2013, in forum: Front Page News
    Replies:
    0
    Views:
    508
    Becky
    Apr 4, 2013
Loading...

Share This Page