! If telnet is configured and enabled, then telnet to the router; else connect to the serial port
(I use putty for both)
myrouter> enable
myrouter# config terminal
myrouter(config)# password encryption aes
myrouter(config)# service password-encryption
! assign a domain name; this is a prerequisite for ssh key generation
myrouter(config)# ip domain-name mydomain.com
! initialize the authentication, authorization and accounting policy
myrouter(config)# aaa new-model
! configure the authentication source; in this case we'll use a local db
myrouter(config)# aaa authentication login default local
! configure the authorization source; the aaa policy is called "default"
myrouter(config)# aaa authorization exec default local
! create a user, assign a low privilege level (so enable password is still needed) and password
myrouter(config)# username my-username password my-password
! apply the policy to the vty
myrouter(config)# line vty 0 4
myrouter(config-line)# login authentication default
myrouter(config)#
! Enable SSHv2 only (disables SSHv1)
myrouter(config)# ip ssh version 2
myrouter(config)# crypto key generate rsa general-keys modulus 1024
! After verifying that ssh works, do this:
! Enable SSH only on virtual terminals (disables telnet)
myrouter(config)# line vty 0 4
myrouter(config-line)# transport input ssh
! add this to the ACL for your wan interface
permit tcp any host (router-external-ip) eq (some-high-range-port)
! Add this nat to open external access to ssh at the high-range port
ip nat inside source static tcp (router-internal-ip) 22 interface FastEthernet0 (the same-high-range-port)
How to copy router config to ssh server with scp:
enable
copy run scp://my-usename:my-password@backuphostname//path/to/folder/$h-$t
archive
path scp://my-usename:my-password@backuphostname//path/to/folder/$h-config
! the write memory option will cause the archive scheduler to create a copy of the config each
time it's saved to nvram. (it will append an incrementing -# to the end)
write-memory
end
(note that you may need the 'file prompt quiet' command to stop it from prompting whether you want to do it.)
# now compare two configs:
show archive config diff system:running-config
scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1
# now replace the running config with an archived one:
config replace scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1 list
# now log all config changes to syslog:
config t
archive
log config
logging enable
! suppress display of passwords in configuration logs
hidekeys
! enable sending of notifications of configuration changes to syslog
notify syslog
exit
#The ‘do’ command allows you to run exec level commands from config mode.
Examples:
Router(config)#do show run
# Enable syslog logging
my-router(config)# logging (my-syslog-server-ip)
! The level "notifications" will include emergencies(0), alerts(1), critical(2), errors(3), warnings(4), and notifications(5); but it will exclude informational(6) and debugging(7)
my-router(config)# logging trap notifications
# optionally specify on what interface the logging should originate
my-router(config)# logging source-interface f0/0
2009/11/17
Cisco Router notes
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment