Cisco: SSH on VLAN Interface

[Cmustang87]

Running through a basic home lab setup for CCNA. I have a Cisco 881 ISR and a Catalyst 3560. I'm having issues using Telnet and SSH from my host computer to either of the VLAN 1 interface of the 881 and the 3560. IP address of VLAN 1 interface on 3560 is 192.168.100.2/24 and the 881 is 192.168.100.1/24. I tried setting ip default-gateway 192.168.100.1 on the 3560, but that didn't work either. I'm trying to just keep the 3560 with L2 switching with a single VLAN interface so I can use SSH to it. I can SSH into 192.168.1.254 which is the WAN routed interface of the 881. From there I can Telnet and SSH into 192.168.100.2. Thank you for any help. I should clarify my current setup:

EDIT: My computer (192.168.1.55) connects to an Asus RT-N66U (192.168.1.1). The 881 has FastEthernet 0 connected to the 3560's Fa0/1. The 881 Fa 4 is connected to the Asus.

Running config of 881:

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1-881
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$y4XN$3e4Ya9v7D2eH7hSvSrAvr0
!
no aaa new-model
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 192.168.100.1
ip dhcp excluded-address 192.168.100.2
!
ip dhcp pool TEST_LAB
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip domain name testlab.com
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn <OMITTED>
!
!
username <USER> secret 5 $1$b.wo$eQ5kAz8ezOACLuFp37Mxf0
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.1.254 255.255.255.0
duplex full
speed 100
!
interface Vlan1
ip address 192.168.100.1 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!
!
!
!
control-plane
!
!
line con 0
password 7 05080F1C2243
logging synchronous
login
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Here is the running config of the 3560

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SW1-3560
!
!
username <USER> secret 5 $1$.Le3$soN3dGoil0aC6iLykyf6L0
no aaa new-model
ip subnet-zero
ip domain-name testlab.com
!
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-2641689728
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2641689728
revocation-check none
rsakeypair TP-self-signed-2641689728
!
!
crypto ca certificate chain TP-self-signed-2641689728
certificate self-signed 01
<OMITTED>
quit
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
!
interface FastEthernet0/4
switchport mode access
!
interface FastEthernet0/5
switchport mode access
!
interface FastEthernet0/6
switchport mode access
!
interface FastEthernet0/7
switchport mode access
!
interface FastEthernet0/8
switchport mode access
!
interface FastEthernet0/9
switchport mode access
!
interface FastEthernet0/10
switchport mode access
!
interface FastEthernet0/11
switchport mode access
!
interface FastEthernet0/12
switchport mode access
!
interface FastEthernet0/13
switchport mode access
!
interface FastEthernet0/14
switchport mode access
!
interface FastEthernet0/15
switchport mode access
!
interface FastEthernet0/16
switchport mode access
!
interface FastEthernet0/17
switchport mode access
!
interface FastEthernet0/18
switchport mode access
!
interface FastEthernet0/19
switchport mode access
!
interface FastEthernet0/20
switchport mode access
!
interface FastEthernet0/21
switchport mode access
!
interface FastEthernet0/22
switchport mode access
!
interface FastEthernet0/23
switchport mode access
!
interface FastEthernet0/24
switchport mode access
!
interface FastEthernet0/25
switchport mode access
!
interface FastEthernet0/26
switchport mode access
!
interface FastEthernet0/27
switchport mode access
!
interface FastEthernet0/28
switchport mode access
!
interface FastEthernet0/29
switchport mode access
!
interface FastEthernet0/30
switchport mode access
!
interface FastEthernet0/31
switchport mode access
!
interface FastEthernet0/32
switchport mode access
!
interface FastEthernet0/33
switchport mode access
!
interface FastEthernet0/34
switchport mode access
!
interface FastEthernet0/35
switchport mode access
!
interface FastEthernet0/36
switchport mode access
!
interface FastEthernet0/37
switchport mode access
!
interface FastEthernet0/38
switchport mode access
!
interface FastEthernet0/39
switchport mode access
!
interface FastEthernet0/40
switchport mode access
!
interface FastEthernet0/41
switchport mode access
!
interface FastEthernet0/42
switchport mode access
!
interface FastEthernet0/43
switchport mode access
!
interface FastEthernet0/44
switchport mode access
!
interface FastEthernet0/45
switchport mode access
!
interface FastEthernet0/46
switchport mode access
!
interface FastEthernet0/47
switchport mode access
!
interface FastEthernet0/48
switchport mode access
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport mode access
!
interface GigabitEthernet0/3
switchport mode access
!
interface GigabitEthernet0/4
switchport mode access
!
interface Vlan1
ip address 192.168.100.2 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
password 7 104D000A0618
logging synchronous
login
line vty 0 4
password 7 030752180500
login local
transport input telnet ssh
line vty 5 15
password 7 030752180500
login local
transport input telnet ssh
!
end

From the Cisco 881 I can telnet and SSH into the 3560 using VLAN interface 1 IP 192.168.100.2. I can ping 192.168.100.2 and 192.168.100.1.

Ipconfig of my computer:

IPv4 Address. . . . . . . . . . . : 192.168.1.55(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1

Static route on my Asus wireless router

Traceroute results from my computer:

Tracing route to 192.168.100.2 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.1
2 <1 ms <1 ms <1 ms 192.168.1.254
3 <1 ms <1 ms <1 ms 192.168.100.2

Tracing route to 192.168.100.2 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.1
2 <1 ms <1 ms <1 ms 192.168.1.254
3 <1 ms <1 ms <1 ms 192.168.100.2

Ping from Cisco 881:

R1-881#ping 192.168.1.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

Ping from Catalyst 3560

SW1-3560#ping 192.168.1.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.55, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Traceroute from Catalyst 3560

SW1-3560#traceroute 192.168.1.55

Type escape sequence to abort.
Tracing the route to 192.168.1.55

1 192.168.100.1 0 msec 0 msec 0 msec
2 * * *
3 * * *
4 * * *
5 *

 

[klank]

Derek,

Change your passwords from the default cisco. Also remove any references in your post to your passwords, certs and serial #.

 

[Cmustang87]

Removed serial number and cert information. It's not a production environment so I didn't care, but good catch on the SN.

 

[MysticRyuujin]

What device is plugged into the ASUS? Is it Computer->ASUS->Router->Switch? or ASUS->Switch->Router or are both router and switch hanging off the ASUS? I assume it's ASUS->Router->Switch. However, you say "The 881 has FastEthernet 4 connected to the 3560's Fa0/1." So that would lead me to believe it's ASUS->Switch->Router. So I'm not sure why you would try to send the Switch through the router then back through the switch and THEN through the ASUS to get to your PC. Without a gateway your switch isn't going to talk to anything not on the VLAN1 subnet.

 

[Cmustang87]

Sorry my mistake, that's a typo.

Cisco 881 Interface Fa 0 is connected to 3560 Fa0/1.

It's PC (192.168.1.55/24) -> Asus (192.168.1.1/24) -> 881 Fa4 192.168.1.254/24) direct attach route to -> 881 LAN Fa0 (192.168.100.1/24) -> 3560 Fa0/1 (Interface VLAN 1 192.168.100.2/24)

Basically my goal is just to have a separate network from the 881 to the 3560 as a L2 switch but be able to manage the 3560 from my computer via SSH.

 

[MysticRyuujin]

So put the default gateway back in there...then give us the results...if I don't see it in your config then I don't believe you lol

 

[Cmustang87]

Fair enough, I'll try again and link here. I'm at work today so it will be this evening. Just as a testing, what would prevent me from being able to SSH into 192.168.100.1? The internal interface of the 881.

 

[MysticRyuujin]

Can you ping it?

ping 192.168.1.55 source vlan1

Give us the output of show ip route

 

[Cmustang87]

MADE LOTS OF EDITS!

Cisco 881 Router

Default Gateway

R1-881#show run | begin ip def
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
line con 0
password 7 05080F1C2243
logging synchronous
login
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Ping Results Source VLAN 1

R1-881#ping 192.168.1.55 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.55, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
.....
Success rate is 0 percent (0/5)

From interface Fa4

R1-881#ping 192.168.1.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

IP Route

R1-881(config)#do show ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet4
L 192.168.1.254/32 is directly connected, FastEthernet4
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Vlan1
L 192.168.100.1/32 is directly connected, Vlan1

Cisco 3560

Default Gateway

SW1-3560#show run | begin ip def
ip default-gateway 192.168.100.1
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
password 7 104D000A0618
logging synchronous
login
line vty 0 4
password 7 030752180500
login local
transport input telnet ssh
line vty 5 15
password 7 030752180500
login local
transport input telnet ssh
!
end

Ping from VLAN 1

SW1-3560#ping 192.168.1.55 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.55, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.2
.....
Success rate is 0 percent (0/5)

IP Route

SW1-3560#sho ip rou
Default gateway is 192.168.100.1

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty

Ping from my Desktop

C:\Users\ME>ping 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time<1ms TTL=255
Reply from 192.168.100.1: bytes=32 time<1ms TTL=255
Reply from 192.168.100.1: bytes=32 time<1ms TTL=255
Reply from 192.168.100.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\ME>ping 192.168.100.2

Pinging 192.168.100.2 with 32 bytes of data:
Reply from 192.168.100.2: bytes=32 time<1ms TTL=254
Reply from 192.168.100.2: bytes=32 time<1ms TTL=254
Reply from 192.168.100.2: bytes=32 time<1ms TTL=254
Reply from 192.168.100.2: bytes=32 time<1ms TTL=254

Ping statistics for 192.168.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

 

[mi7chy]

Try adding 'ip routing' to your 3560 switch.

 

[MysticRyuujin]

Your R1 doesn't have a default route. You need to add this to the router, unless of course you don't want it to be able to reach other subnets:

ip route 0.0.0.0 0.0.0.0 192.168.1.1

It looks like your Windows Firewall is probably blocking.

When you ping from your workstation to 192.168.100.1 or .2 it works but if you ping from the device (source vlan 1 on the router, or just ping from the switch) it's failing. This is probably because your computer isn't connected to those subnets and it sees them as external networks. Try to disable your firewall and try again.

 

[Cmustang87]

Thank you all for your help, it is still not receiving traffic from VLAN 1:

Here is traceroute results, doesn't even appear to be getting to my default gateway which is 192.168.1.1. This is now just my computer trying to access VLAN 1 interface of the 881 which is direct connected to my home Asus wireless router.

R1-881#traceroute 192.168.1.55 source vlan 1

Type escape sequence to abort.
Tracing the route to 192.168.1.55

1 * * *
2 * * *
3 * * *
4 *

Here is the latest sho run of the 881:

R1-881#sho run
Building configuration...

Current configuration : 1392 bytes
!
! Last configuration change at 02:48:20 UTC Wed Jul 2 2014 by user
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1-881
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$y4XN$3e4Ya9v7D2eH7hSvSrAvr0
!
no aaa new-model
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 192.168.100.1
ip dhcp excluded-address 192.168.100.2
!
ip dhcp pool TEST_LAB
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip domain name testlab.com
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn <OMITTED>
!
!
username derek secret 5 $1$b.wo$eQ5kAz8ezOACLuFp37Mxf0
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0
duplex full
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.1.254 255.255.255.0
duplex full
speed 100
!
interface Vlan1
ip address 192.168.100.1 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!
!
!
!
control-plane
!
!
line con 0
password 7 05080F1C2243
logging synchronous
login
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Does this issue have anything to do with "ip source-route" ?

 

[MysticRyuujin]

No, ip source-route just lets devices specify their next hop(s). Generally it should be turned off for security but it's a home lab so whatever.

Here's a question, can you ping the gateway 192.168.1.1 from vlan 1? Does the ASUS have a ping utility too? I'd be more willing to blame the ASUS than your cisco config. If your ASUS has a firewall try turning that off?

 

[MysticRyuujin]

This is the absolute most basic config that should be required for your setup, assuming factory settings and it looks like your configs are fine...

Assuing:
ASUS = 192.168.1.1 and properly routing 192.168.100.0/24 to 192.168.1.254 via LAN and not blocking anything.
Router = 192.168.1.254 Fa4 & 192.168.100.1 Vlan1
Switch = 192.168.100.2

Router:
conf t
ip route 0.0.0.0 0.0.0.0 192.168.1.1
interface Fa4
ip address 192.168.1.254 255.255.255.0
no shut

interface vlan1
ip address 192.168.100.1 255.255.255.0
no shut

Switch:
conf t
interface vlan1
ip address 192.168.100.2 255.255.255.0
no shut

ip default-gateway 192.168.100.1

So I'd guess that your ASUS is doing something.

 

[Cmustang87]

That's what has me confused, it's a super basic setup! I didn't even think about the firewall on the Asus. That seems consistent with ICMP echoes showing on my CMD, but return traffic not actually making it back. Let me check that real quick.

 

[Cmustang87]

I am able to ping 192.168.1.1 source VLAN 1 and the firewall on my Asus is disabled, well this is frustrating. I am able to still ping it even after I enable the firewall as well, I tried both and they were both successful.

 

[Cmustang87]

I just want to say thank you again for any help on this matter,

 

[Sage2k]

Doesn't make sense. If you can ping 100.2, you should be able to SSH into it. Must be an ACL or something. Can you run a packet sniff on 100.2 as you try to SSH from your desktop?

 

[MysticRyuujin]

I agree, it doesn't make sense lol

You should open up wireshark on your PC to see if the packets are even reaching it. Just open wireshark and start a continual ping from your router's VLAN1 to 1.55 (source vlan 1) and see if the packets are making it to your computer. If they are not put a cheap hub between the two routers (or use a crossover from computer to router) and see if the echo packet is even exiting the router's Fa4 when you ping with source vlan 1.

Have you tried a different IOS image? Perhaps there is a bug in your IOS version...usually when things don't make sense I start looking there. Or maybe even the ASUS's firmware.

 

[Cmustang87]

Sage, I'm confused as well. However, there are no ACLs! Everything should be allowed!

Here's a screenshot of Wireshark. I'm not an expert in the program but here's the details:

Here's a grab when I try to SSH into 192.168.100.1

 

[Sage2k]

3 way tcp handshake does not appear to be completing

You send a SYN to switch
Switch responds with SYN ACK
You send an ACK

Switch doesn't notice ACK so it resends SYN ACK

repeats a couple times

don't know why but thats whats happening. I assume you did the packet sniff at your desktop. Can you repeat the test but grab the packet sniff from the switch to see if he's getting that ACK?

 

[Sage2k]

You can use SPAN to grab a sniff from the switch

http://www.cisco.com/c/en/us/td/doc...5_se/configuration/guide/3750escg/swspan.html

 

[MysticRyuujin]

I assume that this wireshark output is while your computer is in its normal state (meaning, you didn't plug it into a hub or use a cross over like I suggested).

If you look at your ICMP request coming from 192.168.100.1 to 192.168.1.55 there is no return, the ones you circled. Your computer is not sending an echo-response. In other words the traffic is being routed fine but your desktop is dropping. Under normal conditions you should see an Echo (Ping) followed by an Echo Response.

Are you sure you're not running any kind of anti-virus or other firewall application? HIPS?

Don't you have any other devices on your network you can try to ping? You have WiFi on that ASUS right? Ping it via a cell phone or something...or boot up a mini-linux and see if you can ping then.

Everything I see indicates a problem with your computer, not the Cisco/ASUS.

Here is an example of a proper echo/echo request:

 

[MysticRyuujin]

I'm also noticing that, other than a few IPs you've blocked out I don't really see traffic from your desktop going anywhere. This may be a ridiculous question but I feel I have to ask it...Does your computer have a default gateway? Sometimes I've put in a default gateway and come back only to see that it's missing or entered incorrectly. I assume that you're getting on the internet with this PC lol but it could be a lab PC for all I know. So sorry if it seems like a silly question but I have to ask

 

[Cmustang87]

Sorry, I have been out of town for work. My PC has a default gateway as it's not a lab PC and my main home computer that I use for everything else.

I'll try through another device. Also, I have Avast AV on my home PC, but it's not running any firewall applications, it's just the free AV. I will be back home Wednesday to troubeshoot further.

 

[tangoseal]

Holy fucking shit wall of text....

You need Crypto to use SSH lol... Here is what you need...

Config t
Crypto key generate RSA
answer Y if asked
Specify 1024 bit key ... 512 bit key will not enable SSH

Then you will see that SSH is enabled.

Stop looking for ACLs and all that blah ... SSH needs an RSA crypto key to be generated and it must be atleast 1024bit .

There ya go ... booyah now get back to me when it works!

 

[MysticRyuujin]

Yes, it's a "shit wall of text" because we assume he's already done that because in his very first post he says

I can SSH into 192.168.1.254 which is the WAN routed interface of the 881. From there I can Telnet and SSH into 192.168.100.2.

Plus his running config output shows crypto keys have been generated (though omitted). Even if he hadn't that wouldn't explain the wireshark output where his computer is receiving packets but not responding.