I was able to
router#ssh -l xxxx x.x.x.x
where xxxx is the username, and x.x.x.x is the IP address of the router (2620) that I am trying to connect to. It gives me the
Password:
prompt. This is going across the internet. I usually VPN in, but I did this to remove the VPN config, so...
I removed all crypto commands relating to my remote access vpn server config, which includes "no aaa new-model". I also have a site to site vpn config in there. I got out of the router and was about to see if the tunnel had initiated, when I remembered that I forgot to apply the crypto map to the outside interface. So I just hit the up arrow until I got to the
router#ssh -l xxxx x.x.x.x
that I had just used. Now it won't accept my password! What commands could I have had in there to cause this? The only remote possibility I could think of is aaa, but I had
aaa authentication login sms_vpn_xauth local
aaa authorization network sms_vpn_group local
!
aaa session-id common
!
for the vpn. Any thoughts? Here's the complete config before any changes...
___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/
TO_ADTRAN>en
Password:
TO_ADTRAN#sh run
Building configuration...
Current configuration : 7021 bytes
!
! Last configuration change at 22:07:08 cst Tue Dec 2 2008 by xxxxxxxxx
! NVRAM config last updated at 22:07:08 cst Tue Dec 2 2008 by xxxxxxxx
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TO_ADTRAN
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
enable secret 5 $1$XA80$NZ77ynADUvYSN7YabCOWk0
enable password xxxxxxxxxx
!
aaa new-model
!
aaa authentication login sms_vpn_xauth local
aaa authorization network sms_vpn_group local
!
aaa session-id common
!
resource policy
!
clock timezone cst -6
clock summer-time CST recurring
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 5
!
ip inspect audit-trail
ip inspect max-incomplete low 100
ip inspect max-incomplete high 250
ip inspect one-minute high 425
ip inspect name sms rpc program-number 100003 wait-time 2 timeout 5
ip inspect name sms rcmd timeout 10
ip inspect name sms cuseeme
ip inspect name sms tcp
ip inspect name sms udp
ip inspect name sms ftp
ip inspect name sms h323
ip inspect name sms http
ip inspect name sms netshow
ip inspect name sms realaudio
ip inspect name sms daytime
ip inspect name sms dns
ip inspect name sms echo
ip inspect name sms exec
ip inspect name sms fragment maximum 256 timeout 1
ip inspect name sms ftps
ip inspect name sms gopher
ip inspect name sms https
ip inspect name sms icmp
ip inspect name sms ident
ip inspect name sms imap
ip inspect name sms imap3
ip inspect name sms imaps
ip inspect name sms ipx
ip inspect name sms irc
ip inspect name sms irc-serv
ip inspect name sms kermit
ip inspect name sms ldap
ip inspect name sms login
ip inspect name sms lotusmtap
ip inspect name sms lotusnote
ip inspect name sms microsoft-ds
ip inspect name sms ms-sna
ip inspect name sms ms-sql
ip inspect name sms ms-sql-m
ip inspect name sms msexch-routing
ip inspect name sms mysql
ip inspect name sms netbios-dgm
ip inspect name sms netbios-ssn
ip inspect name sms netstat
ip inspect name sms nfs
ip inspect name sms nntp
ip inspect name sms ntp
ip inspect name sms oem-agent
ip inspect name sms oracle
ip inspect name sms pop3
ip inspect name sms pop3s
ip inspect name sms pwdgen
ip inspect name sms r-winsock
ip inspect name sms radius
ip inspect name sms realsecure
ip inspect name sms rtelnet
ip inspect name sms rtsp
ip inspect name sms shell
ip inspect name sms skinny
ip inspect name sms sms
ip inspect name sms smtp
ip inspect name sms snmp
ip inspect name sms snmptrap
ip inspect name sms socks
ip inspect name sms sqlnet
ip inspect name sms sqlserv
ip inspect name sms sqlsrv
ip inspect name sms ssh
ip inspect name sms sshell
ip inspect name sms streamworks
ip inspect name sms stun
ip inspect name sms syslog
ip inspect name sms telnet
ip inspect name sms telnets
ip inspect name sms tftp
ip inspect name sms time
ip inspect name sms who
ip inspect name sms wins
ip inspect name sms x11
ip inspect name sms xdmcp
no ip dhcp use vrf connected
!
no ip ips deny-action ips-interface
ip ips notify SDEE
ip ips name sms
no ip bootp server
ip domain name sms.stl.com
ip host lan 192.168.2.2
ip host c2980 192.168.69.88
ip name-server x.x.x.x
ip name-server x.x.x.x
!
no ftp-server write-enable
!
username xxxxxxx privilege 15 secret 5 $1$62iA$Ex4uqc9a1uJ0oTm7Gwclx1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 2.2.2.2
crypto isakmp keepalive 15
no crypto isakmp ccm
!
crypto isakmp client configuration group xxxxxxxxxxxx
key xxxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map SMS 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set strong
match address 125
!
crypto map vpn_cmap_1 client authentication list sms_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list sms_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
interface FastEthernet0/0
description AT&T_help_1-877-eat-shit
ip address x.x.x.x y.y.y.y
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect sms in
ip ips sms in
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map SMS
!
interface Serial0/0
description TO_LAN
ip address 192.168.2.1 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
no dce-terminal-timing-enable
!
interface Serial0/1
no ip address
shutdown
no dce-terminal-timing-enable
!
ip local pool vpn_pool_1 192.168.3.1 192.168.3.2
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.69.0 255.255.255.0 192.168.2.2
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.69.108 21 interface FastEthernet0/0 21
ip nat inside source route-map vpn_routemap_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.69.169 443 interface FastEthernet0/0 443
!
logging trap debugging
logging source-interface FastEthernet0/0
logging 192.168.1.108
access-list 101 deny ip any host 192.168.3.1
access-list 101 deny ip any host 192.168.3.2
access-list 101 permit ip 192.168.2.0 0.0.0.3 any
access-list 101 permit ip 192.168.69.0 0.0.0.255 any
access-list 103 deny ip host 64.113.32.5 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any log
access-list 105 deny ip 255.0.0.0 0.255.255.255 any log
access-list 105 deny ip 240.0.0.0 7.255.255.255 any log
access-list 105 deny ip host 0.0.0.0 any log
access-list 113 deny ip host 69.50.180.22 any
access-list 113 deny ip host 216.255.186.251 any
access-list 113 deny ip host 85.255.118.214 any
access-list 113 permit ip any any
access-list 125 permit ip 192.168.69.0 0.0.0.255 any
access-list 125 permit ip 192.168.2.0 0.0.0.3 any
access-list 131 permit ip host x.x.x.x host 192.168.69.108
access-list 131 deny ip any host 192.168.69.108
access-list 131 permit ip any any
route-map vpn_routemap_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
!
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
!
line con 0
password xxxxxxxx
logging synchronous
transport output all
line aux 0
line vty 0 4
password xxxxxxxxxxx
logging synchronous
transport input ssh
!
ntp clock-period 17179916
ntp server 64.113.32.5 source FastEthernet0/0
!
end
Burt
router#ssh -l xxxx x.x.x.x
where xxxx is the username, and x.x.x.x is the IP address of the router (2620) that I am trying to connect to. It gives me the
Password:
prompt. This is going across the internet. I usually VPN in, but I did this to remove the VPN config, so...
I removed all crypto commands relating to my remote access vpn server config, which includes "no aaa new-model". I also have a site to site vpn config in there. I got out of the router and was about to see if the tunnel had initiated, when I remembered that I forgot to apply the crypto map to the outside interface. So I just hit the up arrow until I got to the
router#ssh -l xxxx x.x.x.x
that I had just used. Now it won't accept my password! What commands could I have had in there to cause this? The only remote possibility I could think of is aaa, but I had
aaa authentication login sms_vpn_xauth local
aaa authorization network sms_vpn_group local
!
aaa session-id common
!
for the vpn. Any thoughts? Here's the complete config before any changes...
___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/
TO_ADTRAN>en
Password:
TO_ADTRAN#sh run
Building configuration...
Current configuration : 7021 bytes
!
! Last configuration change at 22:07:08 cst Tue Dec 2 2008 by xxxxxxxxx
! NVRAM config last updated at 22:07:08 cst Tue Dec 2 2008 by xxxxxxxx
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TO_ADTRAN
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
enable secret 5 $1$XA80$NZ77ynADUvYSN7YabCOWk0
enable password xxxxxxxxxx
!
aaa new-model
!
aaa authentication login sms_vpn_xauth local
aaa authorization network sms_vpn_group local
!
aaa session-id common
!
resource policy
!
clock timezone cst -6
clock summer-time CST recurring
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 5
!
ip inspect audit-trail
ip inspect max-incomplete low 100
ip inspect max-incomplete high 250
ip inspect one-minute high 425
ip inspect name sms rpc program-number 100003 wait-time 2 timeout 5
ip inspect name sms rcmd timeout 10
ip inspect name sms cuseeme
ip inspect name sms tcp
ip inspect name sms udp
ip inspect name sms ftp
ip inspect name sms h323
ip inspect name sms http
ip inspect name sms netshow
ip inspect name sms realaudio
ip inspect name sms daytime
ip inspect name sms dns
ip inspect name sms echo
ip inspect name sms exec
ip inspect name sms fragment maximum 256 timeout 1
ip inspect name sms ftps
ip inspect name sms gopher
ip inspect name sms https
ip inspect name sms icmp
ip inspect name sms ident
ip inspect name sms imap
ip inspect name sms imap3
ip inspect name sms imaps
ip inspect name sms ipx
ip inspect name sms irc
ip inspect name sms irc-serv
ip inspect name sms kermit
ip inspect name sms ldap
ip inspect name sms login
ip inspect name sms lotusmtap
ip inspect name sms lotusnote
ip inspect name sms microsoft-ds
ip inspect name sms ms-sna
ip inspect name sms ms-sql
ip inspect name sms ms-sql-m
ip inspect name sms msexch-routing
ip inspect name sms mysql
ip inspect name sms netbios-dgm
ip inspect name sms netbios-ssn
ip inspect name sms netstat
ip inspect name sms nfs
ip inspect name sms nntp
ip inspect name sms ntp
ip inspect name sms oem-agent
ip inspect name sms oracle
ip inspect name sms pop3
ip inspect name sms pop3s
ip inspect name sms pwdgen
ip inspect name sms r-winsock
ip inspect name sms radius
ip inspect name sms realsecure
ip inspect name sms rtelnet
ip inspect name sms rtsp
ip inspect name sms shell
ip inspect name sms skinny
ip inspect name sms sms
ip inspect name sms smtp
ip inspect name sms snmp
ip inspect name sms snmptrap
ip inspect name sms socks
ip inspect name sms sqlnet
ip inspect name sms sqlserv
ip inspect name sms sqlsrv
ip inspect name sms ssh
ip inspect name sms sshell
ip inspect name sms streamworks
ip inspect name sms stun
ip inspect name sms syslog
ip inspect name sms telnet
ip inspect name sms telnets
ip inspect name sms tftp
ip inspect name sms time
ip inspect name sms who
ip inspect name sms wins
ip inspect name sms x11
ip inspect name sms xdmcp
no ip dhcp use vrf connected
!
no ip ips deny-action ips-interface
ip ips notify SDEE
ip ips name sms
no ip bootp server
ip domain name sms.stl.com
ip host lan 192.168.2.2
ip host c2980 192.168.69.88
ip name-server x.x.x.x
ip name-server x.x.x.x
!
no ftp-server write-enable
!
username xxxxxxx privilege 15 secret 5 $1$62iA$Ex4uqc9a1uJ0oTm7Gwclx1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 2.2.2.2
crypto isakmp keepalive 15
no crypto isakmp ccm
!
crypto isakmp client configuration group xxxxxxxxxxxx
key xxxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map SMS 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set strong
match address 125
!
crypto map vpn_cmap_1 client authentication list sms_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list sms_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
interface FastEthernet0/0
description AT&T_help_1-877-eat-shit
ip address x.x.x.x y.y.y.y
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect sms in
ip ips sms in
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map SMS
!
interface Serial0/0
description TO_LAN
ip address 192.168.2.1 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
no dce-terminal-timing-enable
!
interface Serial0/1
no ip address
shutdown
no dce-terminal-timing-enable
!
ip local pool vpn_pool_1 192.168.3.1 192.168.3.2
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.69.0 255.255.255.0 192.168.2.2
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.69.108 21 interface FastEthernet0/0 21
ip nat inside source route-map vpn_routemap_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.69.169 443 interface FastEthernet0/0 443
!
logging trap debugging
logging source-interface FastEthernet0/0
logging 192.168.1.108
access-list 101 deny ip any host 192.168.3.1
access-list 101 deny ip any host 192.168.3.2
access-list 101 permit ip 192.168.2.0 0.0.0.3 any
access-list 101 permit ip 192.168.69.0 0.0.0.255 any
access-list 103 deny ip host 64.113.32.5 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any log
access-list 105 deny ip 255.0.0.0 0.255.255.255 any log
access-list 105 deny ip 240.0.0.0 7.255.255.255 any log
access-list 105 deny ip host 0.0.0.0 any log
access-list 113 deny ip host 69.50.180.22 any
access-list 113 deny ip host 216.255.186.251 any
access-list 113 deny ip host 85.255.118.214 any
access-list 113 permit ip any any
access-list 125 permit ip 192.168.69.0 0.0.0.255 any
access-list 125 permit ip 192.168.2.0 0.0.0.3 any
access-list 131 permit ip host x.x.x.x host 192.168.69.108
access-list 131 deny ip any host 192.168.69.108
access-list 131 permit ip any any
route-map vpn_routemap_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
!
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
!
line con 0
password xxxxxxxx
logging synchronous
transport output all
line aux 0
line vty 0 4
password xxxxxxxxxxx
logging synchronous
transport input ssh
!
ntp clock-period 17179916
ntp server 64.113.32.5 source FastEthernet0/0
!
end
Burt