Re: using an alternate port with Cisco's secure copy (scp)

["Butturini, Russell" <Russell.Butturini () Healthways com>]

This was a good thought, but the methodology is flawed.  All you've done is change the virtual terminal access service 
to the console.  the SCP server is a separate process that still binds itself to port 22.  So even though you changed 
the SSH port, the SCP port is still listening on port 22 (this would be why you don't have to set an ip domain-name or 
generate a set of RSA keys when you enable the SCP server on the router).  try turning on a debug ip packet while 
you're testing, and you'll see where it's connecting to.  Excerpt from mine while testing with your setup in GNS3 after 
I started the copy.  My SSH server was running on a Loopback of 150.1.5.5.

*Mar  1 00:51:42.655: IP: tableid=0, s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), routed via RIB
*Mar  1 00:51:42.659: IP: s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), len 44, rcvd 3
*Mar  1 00:51:42.663:     TCP src=22, dst=12646, seq=1665504978, ack=771246185, win=4128 ACK SYN
*Mar  1 00:51:42.671: IP: tableid=0, s=174.1.145.4 (local), d=150.1.5.5 (Serial0/0), routed via FIB
*Mar  1 00:51:42.675: IP: s=174.1.145.4 (local), d=150.1.5.5 (Serial0/0), len 40, sending
*Mar  1 00:51:42.679:     TCP src=12646, dst=22, seq=771246185, ack=1665504979, win=4128 ACK
*Mar  1 00:51:42.827: IP: tableid=0, s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), routed via RIB
*Mar  1 00:51:42.831: IP: s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0), len 59, rcvd 3
*Mar  1 00:51:42.835:     TCP src=22, dst=12646, seq=1665504979, ack=771246185, win=4128 ACK PSH
*Mar  1 00:51:42.847: IP: tableid=0, s=174.1.145.4 (local), d=150.1.5.5 (Serial0/0), routed via FIB


________________________________
From: pauldotcom-bounces () mail pauldotcom com [pauldotcom-bounces () mail pauldotcom com] On Behalf Of Cody Dumont 
[CDumont () nwnit com]
Sent: Saturday, August 14, 2010 9:45 AM
To: pauldotcom () mail pauldotcom com
Subject: Re: [Pauldotcom] using an alternate port with Cisco's secure copy (scp)

Here is the config to change the SSH port, thereby changes the SCP port...

The lab build is two routers back to back using GNS3, running 2691 - Cisco IOS Software, 2600 Software 
(C2691-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)

r1 = SCP server
r2 = SCP client


#############  change the host name and enter a domain name
hostname r1
ip domain name name.com<http://name.com>

#############  Generate the RSA key
crypto key generate rsa

#############  setup a user name for login
username cisco privilege 15 password 0 cisco

#############  change the SSH port and assign a rotary group
#############  The rotary group is mostly used for Async ports, but can also be used with VTY ports.
ip ssh port 2200 rotary 1
ip ssh version 1

#############  define an IP address
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0

#############  enable the SCP service on the router
ip scp server enable

#############  modify the VTY config to be a member of the rotary group and allow ssh transport
line vty 0 5
 login local
 rotary 1
 transport input ssh


#############  from "r2" test the SSH login

r2#ssh -l cisco -p 2200 192.168.1.1
Password: <enter cisco for the password>
r1#exit  <-------- close connection
[Connection to 192.168.1.1 closed by foreign host]
r2#

#############  Now try the SCP...

r2#copy startup-config scp://192.168.1.1:2200/new.txt<UrlBlockedError.aspx>    <------------  note the port....
Address or name of remote host [192.168.1.1]?   <----------  note there is no port..that is ok....
Destination username [r2]? cisco
Destination filename [new.txt]?
Writing new.txt
Password: <enter cisco for the password>
!
723 bytes copied in 10.832 secs (67 bytes/sec)
r2#

#############  now verify the copy on the "r1" router
r1#dir
Directory of flash:/

    1  -rw-         723                    <no date>  new.txt

16777212 bytes total (16776424 bytes free)
r1#


Done.....I hope this helps....


Cody B Dumont

CISSP, CCSP, CCIP, CCNP, RSA enVision CSE, MCSE, CNE
NWN STAR  - Senior Security Consultant
603.785.2665 mobile l cdumont () nwnit com<UrlBlockedError.aspx>

STAR - Proactive, cost-effective security with a business focus ˆ going from good to great!

NWN Security Blog ˆ http://nwnsecurity.blogspot.com<http://nwnsecurity.blogspot.com/>
<http://www.twitter.com/nwnsecurity>NWN Security Twitter ˆ http://www.twitter.com/nwnsecurity
<http://www.twitter.com/nwnsecurity>Facebook Profile - http://www.facebook.com/kevinbfiscus
NWN STAR Facebook Page - http://www.facebook.com/NWNSTAR





________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt 
from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, 
distribution, or copying of this communication is strictly prohibited. If you have received this communication in 
error, please notify the original sender immediately by telephone or return email and destroy or delete this message 
along with any attachments immediately.

******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com