PaulDotCom mailing list archives
Re: using an alternate port with Cisco's secure copy (scp)
From: "Butturini, Russell" <Russell.Butturini () Healthways com>
Date: Sat, 14 Aug 2010 16:20:20 -0500
This was a good thought, but the methodology is flawed. All you've done is change the virtual terminal access service to the console. the SCP server is a separate process that still binds itself to port 22. So even though you changed the SSH port, the SCP port is still listening on port 22 (this would be why you don't have to set an ip domain-name or generate a set of RSA keys when you enable the SCP server on the router). try turning on a debug ip packet while you're testing, and you'll see where it's connecting to. Excerpt from mine while testing with your setup in GNS3 after I started the copy. My SSH server was running on a Loopback of 150.1.5.5. *Mar 1 00:51:42.655: IP: tableid=0, s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), routed via RIB *Mar 1 00:51:42.659: IP: s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), len 44, rcvd 3 *Mar 1 00:51:42.663: TCP src=22, dst=12646, seq=1665504978, ack=771246185, win=4128 ACK SYN *Mar 1 00:51:42.671: IP: tableid=0, s=174.1.145.4 (local), d=150.1.5.5 (Serial0/0), routed via FIB *Mar 1 00:51:42.675: IP: s=174.1.145.4 (local), d=150.1.5.5 (Serial0/0), len 40, sending *Mar 1 00:51:42.679: TCP src=12646, dst=22, seq=771246185, ack=1665504979, win=4128 ACK *Mar 1 00:51:42.827: IP: tableid=0, s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), routed via RIB *Mar 1 00:51:42.831: IP: s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), len 59, rcvd 3 *Mar 1 00:51:42.835: TCP src=22, dst=12646, seq=1665504979, ack=771246185, win=4128 ACK PSH *Mar 1 00:51:42.847: IP: tableid=0, s=174.1.145.4 (local), d=150.1.5.5 (Serial0/0), routed via FIB ________________________________ From: pauldotcom-bounces () mail pauldotcom com [pauldotcom-bounces () mail pauldotcom com] On Behalf Of Cody Dumont [CDumont () nwnit com] Sent: Saturday, August 14, 2010 9:45 AM To: pauldotcom () mail pauldotcom com Subject: Re: [Pauldotcom] using an alternate port with Cisco's secure copy (scp) Here is the config to change the SSH port, thereby changes the SCP port... The lab build is two routers back to back using GNS3, running 2691 - Cisco IOS Software, 2600 Software (C2691-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3) r1 = SCP server r2 = SCP client ############# change the host name and enter a domain name hostname r1 ip domain name name.com<http://name.com> ############# Generate the RSA key crypto key generate rsa ############# setup a user name for login username cisco privilege 15 password 0 cisco ############# change the SSH port and assign a rotary group ############# The rotary group is mostly used for Async ports, but can also be used with VTY ports. ip ssh port 2200 rotary 1 ip ssh version 1 ############# define an IP address interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ############# enable the SCP service on the router ip scp server enable ############# modify the VTY config to be a member of the rotary group and allow ssh transport line vty 0 5 login local rotary 1 transport input ssh ############# from "r2" test the SSH login r2#ssh -l cisco -p 2200 192.168.1.1 Password: <enter cisco for the password> r1#exit <-------- close connection [Connection to 192.168.1.1 closed by foreign host] r2# ############# Now try the SCP... r2#copy startup-config scp://192.168.1.1:2200/new.txt<UrlBlockedError.aspx> <------------ note the port.... Address or name of remote host [192.168.1.1]? <---------- note there is no port..that is ok.... Destination username [r2]? cisco Destination filename [new.txt]? Writing new.txt Password: <enter cisco for the password> ! 723 bytes copied in 10.832 secs (67 bytes/sec) r2# ############# now verify the copy on the "r1" router r1#dir Directory of flash:/ 1 -rw- 723 <no date> new.txt 16777212 bytes total (16776424 bytes free) r1# Done.....I hope this helps.... Cody B Dumont CISSP, CCSP, CCIP, CCNP, RSA enVision CSE, MCSE, CNE NWN STAR - Senior Security Consultant 603.785.2665 mobile l cdumont () nwnit com<UrlBlockedError.aspx> STAR - Proactive, cost-effective security with a business focus ˆ going from good to great! NWN Security Blog ˆ http://nwnsecurity.blogspot.com<http://nwnsecurity.blogspot.com/> <http://www.twitter.com/nwnsecurity>NWN Security Twitter ˆ http://www.twitter.com/nwnsecurity <http://www.twitter.com/nwnsecurity>Facebook Profile - http://www.facebook.com/kevinbfiscus NWN STAR Facebook Page - http://www.facebook.com/NWNSTAR ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ******************************************************************************
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: using an alternate port with Cisco's secure copy (scp) Cody Dumont (Aug 14)
- Re: using an alternate port with Cisco's secure copy (scp) Butturini, Russell (Aug 14)