How to check a specific port in a router 6509?

[sukadelic]

This router currently has IOS 12.2. My task is to find out SSH connections from a source ip to a destination ip. I believe ssh port number is 22(correct me if I'm wrong).

The user in the office is using an app that uses SSH connection to connect to a datacenter at another location. So, what command do i use to find out that it actually goes through our office router(6509)?

thanks

 

[cisconooblet]

Ok so I dont know if there is a command to do what you need. I'm assuming you don't mean show ssh on the destination router as your having trouble getting there. That would show you the connected sessions. However minus a protocol analyzer, you could add a line to your outgoing access list on the outgoing interface to deny ssh traffic from the source of your choice to the destination of your choice. After he tries a few times it would show matches for that line in the show access-list command. I'm sure their is an easier way to do this but its all I could think of atm. Maybe someone else has a better idea.

 

[jeter]

I agree with cisconooblet on setting up an access list.

Also install wireshark (It's Free) and monitor the network.


Go Army!
Tek-TIP Member 19,650

 

[North323]

why not turn on ip accounting?

 

[sukadelic]

Thank you guys for helping!

North323...ip accounting is turned on. I did use it to see the source ip and destination ip... sort of what I wanted, but it didn't show me port number. thanks for your help

 

[cisconooblet]

hmm...well you know your destination port is 22. Source port will be from a range of ports. Wireshark probably will help you most, (I say that without knowledge of ip accounting) but you will be looking at it from the lan side.


Are you having a problem getting the ssh traffic to the destination router? Are you sure its set up on the router correctly? Got your key generated and in your client? Checked all the in/out interfaces for an access list denying ssh or your ip range etc?

SSH should look something like this:

enable
config t
line vty 0 15
login local
transport input telnet ssh
exit
username xxxxx password yyyy
ip domain-name yours.com
crypto key generate rsa

then just

show crypto key mypubkey

for the key, and where xxxxx is the actual username and yyyy is the password.

Anyway hope it helps, if not maybe someone else can.

 

[burtsbees]

This is not what the user wants, nooblet...I believe they are saying that a user connects to something on the internet that uses ssh, and he wants to see that port being utilized as it is allowed through the router.

The only way this can happen is either Wireshark (span the ports in the switch connecting to the LAN from where the ssh connection is coming), or have the 6509 recognize port 22 in some manner, either via acl---the only way to accomplish this is to block ssh, and the user would complain, and you would know that it does indeed pass through your router...can't see why it would not if it is your connection to the outside---or by setting up policy maps to match ssh...either do it with NBAR or just traffic shaping or something...

Burt

 

[PeterHurst]

As suggested elsewhere you need to use and access list in conjunction with debug....

***WARNING*** Using debug ip packet without great care can hang your router (yes even a 6509 - one of our consultants managed it in co-operation with TAC)

something like...

access-list 150 permit ip host aaa.aaa.aaa.aaa any eq 22

then on a console (or with term mon on)..

debug ip packet 150 - if you have a reasonable understanding of IP you should be able to work out what's going on. If not.. stay away from this command and use the sniffers and other tests suggested.