Cisco 871 ssh login question

Â

∞Velocitymaster∞

Gawd
Joined
Dec 12, 2004
Messages
584
I will show you my current sh run of my router to make it easier for you to help me.
The thing is I use ssh instead of telnet for login or the internet from any remote computer to my router.
Also unable aaa and set the login for the line vty 0 4 to transport ssh. I can log in to my router over the internet fine buy using my password that I set for line.

Problem is, I can't get to privilege mode, after logon to router.
metavers> when I type en it give me "% error in authentication" message.
I need to be able to configure the router over WAN which means i need to be in privilege mode, (Metaverse#). I'm able to get in to privilege mode over the console or hyper terminal from my server with the com port, but not line. When logging in to line I use my password that I set for line, I try using the console password but it won't let me in which is normal. I use SSH client or a program call putty.

Last thing I need to know how to enable port range for certain applications.
I have no problem in port froward on a single port for an application, example;
(ip nat inside source static tcp 192.168.0.10 21 interface FastEthernet4 21) which i use for my ftp server in my Lan for outsiders to access it.
What if some apps require a port range?



Building configuration...

Current configuration : 3319 bytes
!
! Last configuration change at 02:18:14 est Sun Feb 4 2007
! NVRAM config last updated at 20:06:19 est Thu Feb 1 2007
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Metaverse
!
boot-start-marker
boot-end-marker
!
logging buffered 5000000 debugging
!
aaa new-model
!
!
aaa authentication login default line
--More--  aaa authorization console
--More--  !
--More--  aaa session-id common
--More--  !
--More--  resource policy
--More--  !
--More--  clock timezone est -5
--More--  clock summer-time edt recurring
--More--  ip cef
--More--  !
--More--  !
--More--  !
--More--  !
--More--  ip vrf forwarding
--More--  !
--More--  ip domain name x.x.x.net
--More--  ip ssh time-out 6
--More--  ip inspect log drop-pkt
--More--  ip inspect udp idle-time 10
--More--  ip inspect name walloffire ftp audit-trail on timeout 60
--More--  ip inspect name walloffire tcp timeout 60
--More--  ip inspect name walloffire bootps
--More--  ip inspect name walloffire icmp timeout 10
--More--  ip ips name YuriIPS
--More--  login block-for 120 attempts 2 within 150
--More--  login on-failure log
--More--  !
--More--  !
--More--  !
--More--  username xxxxxxxxx
--More--  !
--More--  !
--More--  !
--More--  !
--More--  !
--More--  !
--More--  interface FastEthernet0
--More--   description Main Rig
--More--   no cdp enable
--More--  !
--More--  interface FastEthernet1
--More--   description lappy
--More--  !
--More--  interface FastEthernet2
--More--   shutdown
--More--  !
--More--  interface FastEthernet3
--More--   shutdown
--More--  !
--More--  interface FastEthernet4
--More--   description WAN connection
--More--   ip dhcp client update dns
--More--   ip address dhcp
--More--   ip access-group 102 in
--More--   no ip redirects
--More--   no ip unreachables
--More--   no ip proxy-arp
--More--   ip nbar protocol-discovery
--More--   ip nat outside
--More--   ip inspect walloffire in
--More--   ip ips YuriIPS in
--More--   ip virtual-reassembly
--More--   ip route-cache flow
--More--   load-interval 30
--More--   duplex auto
--More--   speed auto
--More--   no cdp enable
--More--  !
--More--  interface Vlan1
--More--   description Home maga LAN
--More--   ip address 192.168.0.1 255.255.255.0
--More--   ip nat inside
--More--   ip virtual-reassembly
--More--  !
--More--  interface Vlan2
--More--   no ip address
--More--   shutdown
--More--  !
--More--  !
--More--  !
--More--  no ip http server
--More--  no ip http secure-server
--More--  ip dns server
--More--  ip nat inside source list 1 interface FastEthernet4 overload
--More--  ip nat inside source static tcp 192.168.0.10 3389 interface FastEthernet4 3389
--More--  ip nat inside source static tcp 192.168.0.10 2302 interface FastEthernet4 2302
--More--  ip nat inside source static tcp 192.168.0.10 21 interface FastEthernet4 21
--More--  ip nat inside source static tcp 192.168.0.10 5922 interface FastEthernet4 5922
--More--  ip nat inside source static tcp 192.168.0.10 55000 interface FastEthernet4 55000
--More--  ip nat inside source static tcp 192.168.0.11 45011 interface FastEthernet4 45011
--More--  ip nat inside source static tcp 192.168.0.10 46541 interface FastEthernet4 46541
--More--  !
--More--  !
--More--  logging history debugging
--More--  logging trap debugging
--More--  logging server-arp
--More--  logging 192.168.0.10
--More--  access-list 1 permit 192.168.0.0 0.0.0.255
--More--  access-list 1 deny any
--More--  access-list 102 deny icmp any host x.x.x.x log
--More--  access-list 102 deny ip 66.177.58.0 0.0.0.255 host x.x.x.x log
--More--  access-list 102 deny ip 66.180.205.0 0.0.0.255 host x.x.x.x log
--More--  access-list 102 deny ip 209.204.61.0 0.0.0.255 host x.x.x.x log
--More--  access-list 102 deny ip 216.151.155.0 0.0.0.255 host x.x.x.x log
--More--  access-list 102 permit ip any any
--More--  !
--More--  !
--More--  !
--More--  !
--More--  control-plane
--More--  !
--More--  banner motd ^C
--More--  Welcome to the Metaverse, Don't screw with my networks or I'll will be after you!! All actions will be taken!
--More--  ^C
--More--  !
--More--  line con 0
--More--   password 7 09181C5E41574741535E547C7E75
--More--   no modem enable
--More--   transport preferred none
--More--   transport output all
--More--  line aux 0
--More--   transport output all
--More--  line vty 0 4
--More--   password 7 13514545535E54797C757D61
--More--   transport input ssh
--More--   transport output all
--More--  !
--More--  scheduler max-task-time 5000
--More--  end
--More--  
Metaverse#
 
You can use the local user database to perform this task, that is of course, unless you are opposed to doing it this way.

If you want to use the local user database in order to allow privilege level 15 users to login via SSH then you should set the commands "authentication local" under your VTY line and remove the "password 7 XXXX" line.

Then set up a user in the local database with level 15 access. When you attempt to connect via SSH it will then prompt you for a username and password. Once you login you will be in privileged exec mode.
 
PHUNBALL said:
If you want to use the local user database in order to allow privilege level 15 users to login via SSH then you should set the commands "authentication local" under your VTY line and remove the "password 7 XXXX" line.

Then set up a user in the local database with level 15 access. When you attempt to connect via SSH it will then prompt you for a username and password. Once you login you will be in privileged exec mode.
Click to expand...


Thanks for the respond, but the "authentication local" command is unrecognized which does not exist for the line command on my router, im gona play around a little hopefully i find it.
 
Well, i solve the problem, i just use privilege level access 15 as my command and keep same password, now i can login with that line password as level 15.
 
∞Velocitymaster∞;1030606113 said:
Thanks for the respond, but the "authentication local" command is unrecognized which does not exist for the line command on my router, im gona play around a little hopefully i find it.
Click to expand...

My bad, it's "login local" for the VTY line...
 
You must log in or register to reply here.
Back
Top