How to create self-signed certificates An article by Fabio Semperboni Tutorial A digital certificate or identity certificate is an electronic document which uses a digital signature to bind a public key with an identity, information such as the name of a person or an organization, their address, and so forth.
ContentsIntroduction
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
This document discusses how to configure and debug SSH on Cisco routers or switches that run a version of Cisco IOS® Software that supports SSH. This document contains more information on specific versions and software images.
PrerequisitesRequirements
The Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image.
Components Used
The information in this document is based on Cisco IOS 3600 Software (C3640-IK9S-M), Release 12.2(2)T1.
SSH was introduced into these Cisco IOS platforms and images:
Refer to the Software Advisor (registered customers only) for a complete list of feature sets supported in different Cisco IOS Software releases and on different platforms.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are in a live network, make sure that you understand the potential impact of any command before you use it.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
SSH v1 vs. SSH v2
Use the Cisco Software Advisor (registered customers only) in order to help you find the version of code with appropriate support for either SSH v1 or SSH v2.
Network DiagramTest AuthenticationAuthentication Test without SSH
First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username 'cisco' and password 'cisco.'
Authentication Test with SSH
In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on Carter and test SSH from the PC and UNIX stations.
At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH configuration, test your ability to access the router from the PC and UNIX station. If this does not work, see the debug section of this document.
Optional Configuration SettingsPrevent Non-SSH Connections
If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.
Test to make sure that non-SSH users cannot Telnet to the router Carter.
Set Up an IOS Router or Switch as SSH Client
There are four steps required to enable SSH support on a Cisco IOS router:
If you want to have one device act as an SSH client to the other, you can add SSH to a second device called Reed. These devices are then in a client-server arrangement, where Carter acts as the server, and Reed acts as the client. The Cisco IOS SSH client configuration on Reed is the same as required for the SSH server configuration on Carter.
Issue this command to SSH from the Cisco IOS SSH client (Reed) to the Cisco IOS SSH server (Carter) in order to test this:
Setup an IOS Router as an SSH server that performs RSA based User Authentication
Complete these steps in order to configure the SSH server to perform RSA based authentication.
Add SSH Terminal-Line Access
If you need outbound SSH terminal-line authentication, you can configure and test SSH for outbound reverse Telnets through Carter, which acts as a comm server to Philly.
If Philly is attached to Carter's port 2, then you can configure SSH to Philly through Carter from Reed with the help of this command:
You can use this command from Solaris:
Restrict SSH access to a subnet
You need to limit SSH connectivity to a specific subnetwork where all other SSH attempts from IPs outside the subnetwork should be dropped.
You can use these steps to accomplish the same:
This is an example configuration. In this example only SSH access to the 10.10.10.0 255.255.255.0 subnet is permitted, any other is denied access.
Note: The same procedure to lock down the SSH access is also applicable on switch platforms.
Configure the SSH Version
Configure SSH v1:
Configure SSH v2:
Configure SSH v1 and v2:
Note: You receive this error message when you use SSHv1:
Note: Cisco bug ID CSCsu51740 (registered customers only) is filed for this issue. Workaround is to configure SSHv2.
Variations on banner Command Output
The banner command output varies between the Telnet and different versions of SSH connections. This table illustrates how different banner command options work with various types of connections.
Unable to Display the Login Banner
SSH version 2 supports the login banner. The login banner is displayed if the SSH client sends the username when it initiates the SSH session with the Cisco router. For example, when the Secure Shell ssh client is used, the login banner is displayed. When the PuTTY ssh client is used, the login banner is not displayed. This is because Secure Shell sends the username by default and PuTTY does not send the username by default.
The Secure Shell client needs the username to initiate the connection to the SSH enabled device. The Connect button is not enabled if you do not enter the host name and username. This screenshot shows that the login banner is displayed when Secure Shell connects to the router. Then, the login banner password prompt displays.
The PuTTY client does not require the username to initiate the SSH connection to the router. This screenshot shows that the PuTTY client connects to the router and prompts for the username and password. It does not display the login banner.
This screen shot shows that the login banner is displayed when PuTTY is configured to send the username to the router.
debug and show Commands
Before you issue the debug commands described and illustrated here, refer to Important Information on Debug Commands. Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
Sample Debug OutputRouter Debug
Note: Some of this good debug output is wrapped to multiple lines because of spatial considerations.
Server Debug
Note: This output was captured on a Solaris machine.
What can go Wrong
These sections have sample debug output from several incorrect configurations.
SSH From an SSH Client Not Compiled with Data Encryption Standard (DES)Solaris DebugRouter DebugBad PasswordRouter DebugSSH Client Sends Unsupported (Blowfish) CipherRouter DebugGeting the '%SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for' Error
If you receive this error message, it may be caused due to any change in the domain name or host name. In order to resolve this, try these workarounds.
Cisco bug ID CSCsa83601 (registered customers only) has been filed to address this behaviour.
Troubleshooting Tips
Related InformationSimilar Messages: Cisco Switching/Routing :: Stacking 3750-X With Universal Image With 3750-G Running BIN Image?Oct 10, 2011
I'm looking at adding a Cisco 3750-X switch running c3750e-universalk9-mz.122-55.SE1 (IP base license) into a stack of 3750-G switches running c3750-ipbasek9-mz.122-55.SE1.bin Given that the version and feature sets are the same I don't forsee any compatibility issues. Would there be any reason why a universal image wouldn't stack correctly with other switches running the single .bin file?
Cisco Switching/Routing :: Can 2911 Router Work On IOS Other Than Universal ImageJun 10, 2012
whether a Cisco Router 2911 would work on images other than universal image. This is the question raised by one of our customer. He has 2811 Router where-in he has configured T1/E1 configuration, terminated to Zyxel Modem and working fine. Now he wants to replace this 2811 router with 2911 router. Since the universal image in 2911 router is not working with the present configuration in 2811 router, he wants to know, what options are there for him to configure this in 2911.
Cisco Switching/Routing :: 4900M Downgrade IOS From Universal 15.x To Non-Universal 12.xAug 14, 2012
Is it possible to downgrade the 4900M IOS image from Universal 15.x image to non-Universal (possibly IP BASE) 12.x image.
Cisco WAN :: L2TPV3 Pseudo-wire 1921 Universal ImageAug 8, 2011
come to a bit of a block in the road on a network im building ,all is going well except i need to build a pseudowire to backup our primary L2 circuit, I labbed this with some 3745's but the kit we are using is the 1921, with the universal image how do i go about upgrading functionality to allow this [code]
Cisco Switching/Routing :: 4503E With Sup 7-E And IOSX 3.2 / Enable Routing?Apr 3, 2013
Have a 3750X running at the moment and has about 30 vlans all connected and just use the ip route global config command to enable routing. Plan is to switch out to the 4503E, with IPBase license. When ever I issue the same command, and do a show run its not there. I get no error when I issue the command either. And yes I have rebooted. Do I need to use RIP or OSPF routing? When I do a show ip route the screen looks the same with all the codes, though gateway of last resort isn't set even though I do have ip route 0.0.0.0 0.0.0.0 a.b.c.d in the config. Or is ip routing just enabled by default?
Cisco Switching/Routing :: 4503E - Using Card (WS-X4612-SFP-E) With Supervisor WS-X4013+TSFeb 13, 2012
Can i use this card (WS-X4612-SFP-E) in chassis 4503E with Supervisor WS-X4013+TS ?
Cisco Switching/Routing :: Upgrade Software Of Core Switch 4503e?Nov 2, 2011
i am trying to upgrade the software of the core switch 4503e, i could not get the managemenet ip address up and running. what i did is the following :
interfave vlan 1 ip address 192.168.1.1 255.255.255.0 no shu then my laptop ip address is 192.168.1.100 255.255.255.0?result pinging from CLI is request time out.is there any els command where i need to input ? Cisco Switching/Routing :: 4503E Share Bandwidth Between Traffic Classes With Percent Up To 1 MegaJul 16, 2012
I have one Catalyst 4503 with Supervisor 7L-E 10 with IOS - XE 03.02.00.XO. . One of its gigabit interfaces is connected to a Internet link of 1 Mega. In terms of QoS i would like to limit the total bandwidht of this gigabit interface to just one 1 Mega and simultaneous i want share bandwidth between traffic classes with bandwith percent up to 1 Mega and not 1Giga.
Cisco Switching/Routing :: Difference Between IP Base And Universal For 3750X Switches?Apr 9, 2013
What is the difference between IP Base and Universal for 3750X switches?
Cisco Switching/Routing :: Nexus 5k / 5500 And 802.1AE - Layer 2 CryptoMay 4, 2011
There is very little and quite diverse Information regarding the if, where and how of a Nexus 5000 or 5500 series Switch and support for IEEE 802.1AE Link Layer Encryption (also called MACsec).
For example: the official FAQ denies that the Nexus 5500-series supports 802.1AE at all, while the data sheet says that only 'downlink ports' are supported (host access). On the Nexus 7000 platform the 802.1AE link layer encryption is part of TrustSec (feature cts) and much better documented. The Question is: If and under which circumstances (configuration, L3 modules, license, NX/OS version) does a Nexus 5k or 5500 series Switch support 802.1AE on 1G or 10G interfaces that are directly connected to a Nexus 7000 (with the necessary cts feature licensed/configured)? Cisco Switching/Routing :: Cat6500 - Crypto Key Generate RSA Command MissingFeb 10, 2013
I recently rebuilt the configuration of our Cat6500 multilayer device for use as a user stack. The device is funtioning as it should be, but I am unable to set SSH using the 'crypto key generate rsa' command. The crytop command isn't avaiable at all, which suggests a firmware issue.
I have configured a hostname and Ip domain-name and the image is the only one available. The show version output is listed below. show verCisco Internetwork Operating System SoftwareIOS (tm) s72033_rp Software (s72033_rp-IPSERVICES_WAN-VM), Version 12.2(18)SXF12, RELEASE SOFTWARE (fc2)Technical Support: [URL] Copyright (c) 1986-2007 [Code]... Cisco Switching/Routing :: 3750 - Copy Ios Image To Pc?May 2, 2013
how to copy a cisco ios image from a 3750 to my pc so that i can use it to upgrade a switch on my desk.
Cisco Switching/Routing :: 3750X BGP / Protocol Not In This ImageApr 14, 2013
When I config BGP on my 3750X Switch, it show error as below:
protocol not in this image should I need to upgrade the IOS or Where I can found a supported image (support BGP) Cisco Switching/Routing :: Upgrade 6509-E Ios Image?Jan 9, 2013
I am going to upgrade the IOS image on 6509-E SUP 2T from 15.1 to s2t54-adventerprisek9-mz.SPA.150-1.SY3.bin switch and i would like to know whether i would need to upgrade the boot loader image as well.
Cisco Switching/Routing :: Default IOS Image Of WS-C4900MJan 11, 2012
I'm not able to find in all the datasheets what's the default (out-of-the-box) IOS image of a WS-C4900M.When I buy a WS-C4900M I know that there is an IP-BASE IOS but which version?
On the datasheet there is a 12.2SG but is an IPBASE with SSH? W/O SSH? UPGRADE SSH? I'm trying to make a comparison between this image and a cat4500e-entservices-mz.150-2.SG2.bin (Advanced Enterprise Services) on the feature navigator to make sure the our customer need this last IOS Upgrade. Cisco Switching/Routing :: 4948 - Regarding IOS Image And Auto QoSMar 8, 2013
I have 4948E module switch at customer site and below is the show version output. Image on the switch is not supporting 'AUTO QoS' as i need to enable Auto Qos on it to prioritize Voice traffic. Which image supports Auto QoS feature . Image should have L3 functionality also i mean it should support Routing protocols. I tried to enable auto QoS using by configuring 'QoS' globally but no luck..with existing image.
{ URL} ROM: 12.2(44r)SG9 Hobgoblin Revision 20, Fortooine Revision 1.22 Switch up time is 12 hours, 1 minute System returned to ROM by reload [ code].. Configuration register is 0x2012 Switch#sh boot flash: -#- --length-- -----date/time------ path 1 25793234 May 31 2011 15:20:20 cat4500e-entservicesk9-mz.122-54.SG.bin 2 25005209 Mar 08 2013 09:53:18 cat4500e-entservices-mz.122-54.SG1.bin 70033408 bytes available (58249216 bytes used) Cisco Switching/Routing :: Upgrade TAR IOS Image In 3560 Switch?Oct 31, 2012
I wanted to upload image having .tar extension in Cisco 3560 switch. What are the steps to upload.
Cisco Switching/Routing :: 2911 Can Support Ip Service ImageFeb 29, 2012
i want to check if cisco2911-sec/k9 can support IP service image? what PAK(license) can be bought to activate the IP service feature set?
Cisco Switching/Routing :: 4500 IOS Image Not Included In Switch BoxDec 2, 2012
We've ordered a 4500 core switch and 4948 Server Farm switch for our client, but the switch box does not include a IOS image CD or anything related to IOS image and now the client is asking us why is this item missing as the IOS
-S45UK9-32-1502SGCAT4500e SUP7e Universal Crypto Image -S49IPB-12253SGCisco CAT4900 IOS IP BASE W/O CRYPTO Cisco Switching/Routing :: Invalid Image For Platform Of WS-C4507R?Crypto Key Generate Rsa Cisco 2960Aug 24, 2012
A customer wants to upgrade an IOS Base (cat4500-ipbasek9-mz.122-25.SG4.bin) of a WS-C4507R Cisco, for a IOS that have a enterprices functionalities.We install an IOS cat4500e-entservicesk9-mz.122-53.SG5.bin, but we had the following results:
config-register = 0x2102 Autobooting specified file using Variable BOOT ... Current BOOT file is --- bootflash: cat4500e-entservicesk9-mz.122-53.SG5.bin [Code]... Cisco Switching/Routing :: 2950-24 Upgrade IOS And Delete Old BIN ImageAug 7, 2012
I own the Cisco switch,2950-24.When power on,it says Crash fault with information showed below: [code] Then I search google.com and found the resolution of upgrating IOS.I push mode button before power.Then I access into the CLI.I checked the files in the flash: and got these. [code]
Cisco Switching/Routing :: 6500 - Native IOS Image Synchronization?Feb 15, 2012
I have a simple question: In 6500 CatOS, we had that feature of image synchronization, which added the ability to download the image from the active supervisor to the standby via internal TFTP of the CatOS. Can this be done on IOS? I was looking fot this over the Internet and couldn't find anything.
Cisco Switching/Routing :: 6503 E Series Boot ImageDec 14, 2012
I have a cisco 6503 - e series switch which runs c6sup22-psv-mz.121-26.E4.bin. Both superviser engine and MSFC2 card run the same IOS image i guess. In my boot flash their is another image c6msfc2-jsv-mz.121-4.E1. o what is the difference between these images c6msfc2-jsv-mz.121-4.E1 and c6msfc-boot-mz.121-4.E1.
Cisco Switching/Routing :: IE3000 Sw Cannot Load Boot ImageMay 13, 2013
I'm having difficult getting this switch to boot from flash. I do not understand why it is trying to load 'b1' from 'bs1' instead of something from flash. [code]
Cisco 3560 Switch Crypto Key Generate RsaCisco Switching/Routing :: 3560 ISO Image Installation XY ModeApr 24, 2013
I have L3 switch 3560 v2 cisco switch. If i connect the switch via the console cable in XP system i am not getting any responce. I think i need to install via XY mode.
how can i install the ISO iamge via XY mode in cisco switch 3560 v2.Cisco Model: WS-C3560v2-48tS-S. Cisco Switching/Routing :: How To Copy Image From ASR1001 Directly To AnotherJun 12, 2012
I want to copy a file from one ASR1001 and copy it to another. I ntried using tftp 32 but this is not going to work as the image is 315 MB.
how to copy an image from one router directly to another router's flash, if possible? Cisco Switching/Routing :: Upgrading IOS Image On 3560 SwitchSep 10, 2012
i am facing an error while upgrading the IOS image on 3560 switch. [code]
Cisco Switching/Routing :: Upgrade WS 2960 24 TC-L Switch With IOS ImageCisco Catalyst 3560Jan 8, 2013Crypto Key Generate Rsa Cisco 3560 Password
I am trying to upgrade my cisco WS 2960 24 TC-L switch with the IOS image c2960-lanbasek9-mz.122-55.SE6.bin and my existing IOS image is c2960-lanbasek9-mz.122-50.SE5.bin. when i am copying it to flash, it is getting copied but when i tried to boot it after entering command boot system c2960-lanbasek9-mz.122-55.SE6.bin , it gave me an error.
both flash dir and error are attahced herewith. Cisco Switching/Routing :: WSPE150 Moving IOS Image From One Router To AnotherJan 8, 2012
Customer has ordered the following routers, which will go in three separate locations.
1. 3945 W/SPE150, IP Base Image 2. 3945 Voice Bundle, includes PVDM3-64 and (1) 2-port T1 MFT 3. 2911 IP Base Image. If the customer wants to move the Voice image from the existing 3945 to the 3945/WSPE150, would he just need to contact Cisco Licensing, or would the customer have to pay for a software upgrade on the 3945/WSPE150? Same scenario, except moving the Voice Image to the 2911 router. Cisco Switching/Routing :: 2960S Boot Loader And IOS ImageMay 18, 2013
after upgrading IOS image to V15 on four 2960S switches: Should I make the boot loader image to match the IOS version?I never thought about this while upgrading IOS image unless there is boot issue. I googled for answer but no luck there..
I checked download section on Cisco.com for C2960S-48FPS-L switch and there is simply no boot loader image.The running boot loader is C2960S-HBOOT-M Version 12.2(55r)SEThe running IOS is: 15.0 (2) SE2. Cisco Switching/Routing :: 35609-X - Wrong Image On SwitchMar 17, 2011
I inadvertantly copy the wrong image on to a 35609-X switch and now it gets stuck in a particular mode.
The original image was: c3560e-universalk9-mz.122-53.SE2/c3560e-universalk9-mz.122-53.SE2.bin and I replaced it with: c3560e-universalk9npe-mz.122-55.SE1.bin ( this is what the download site identifies as the image for 3560X-24P-S) It now sticks at: Front-end Microcode IMG MGR: Programming device 0..rrrrrrwssssssssssssssssssspssssssssssssssss How can I get back on to delete this image? It ignores the break key. Crypto Key Generate Rsa CiscoCisco Switching/Routing :: Features Supported In Image 3750X-24T-S?Jan 20, 2013
What features are supported in the image ipservces cisco 3750X-24T-S? Need NAT
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |