This was a good thought, but the methodology is flawed. All you've done is
change the virtual terminal access service to the console. the SCP server is a
separate process that still binds itself to port 22. So even though you
changed the SSH port, the SCP port is still listening on port 22 (this would be
why you don't have to set an ip domain-name or generate a set of RSA keys when
you enable the SCP server on the router). try turning on a debug ip packet
while you're testing, and you'll see where it's connecting to. Excerpt from
mine while testing with your setup in GNS3 after I started the copy. My SSH
server was running on a Loopback of 150.1.5.5.
*Mar 1 00:51:42.655: IP: tableid=0, s=150.1.5.5 (Serial0/0), d=174.1.145.4
(Serial0/0), routed via RIB
*Mar 1 00:51:42.659: IP: s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0),
len 44, rcvd 3
*Mar 1 00:51:42.663: TCP src=22, dst=12646, seq=1665504978, ack=771246185,
win=4128 ACK SYN
*Mar 1 00:51:42.671: IP: tableid=0, s=174.1.145.4 (local), d=150.1.5.5
(Serial0/0), routed via FIB
*Mar 1 00:51:42.675: IP: s=174.1.145.4 (local), d=150.1.5.5 (Serial0/0), len
40, sending
*Mar 1 00:51:42.679: TCP src=12646, dst=22, seq=771246185, ack=1665504979,
win=4128 ACK
*Mar 1 00:51:42.827: IP: tableid=0, s=150.1.5.5 (Serial0/0), d=174.1.145.4
(Serial0/0), routed via RIB
*Mar 1 00:51:42.831: IP: s=150.1.5.5 (Serial0/0), d=174.1.145.4 (Serial0/0),
len 59, rcvd 3
*Mar 1 00:51:42.835: TCP src=22, dst=12646, seq=1665504979, ack=771246185,
win=4128 ACK PSH
*Mar 1 00:51:42.847: IP: tableid=0, s=174.1.145.4 (local), d=150.1.5.5
(Serial0/0), routed via FIB
________________________________
From: [email protected]
[[email protected]] On Behalf Of Cody Dumont
[[email protected]]
Sent: Saturday, August 14, 2010 9:45 AM
To: [email protected]
Subject: Re: [Pauldotcom] using an alternate port with Cisco's secure copy (scp)
Here is the config to change the SSH port, thereby changes the SCP port...
The lab build is two routers back to back using GNS3, running 2691 - Cisco IOS
Software, 2600 Software (C2691-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE
SOFTWARE (fc3)
r1 = SCP server
r2 = SCP client
############# change the host name and enter a domain name
hostname r1
ip domain name name.com<http://name.com>
############# Generate the RSA key
crypto key generate rsa
############# setup a user name for login
username cisco privilege 15 password 0 cisco
############# change the SSH port and assign a rotary group
############# The rotary group is mostly used for Async ports, but can also be
used with VTY ports.
ip ssh port 2200 rotary 1
ip ssh version 1
############# define an IP address
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
############# enable the SCP service on the router
ip scp server enable
############# modify the VTY config to be a member of the rotary group and
allow ssh transport
line vty 0 5
login local
rotary 1
transport input ssh
############# from "r2" test the SSH login
r2#ssh -l cisco -p 2200 192.168.1.1
Password: <enter cisco for the password>
r1#exit <-------- close connection
[Connection to 192.168.1.1 closed by foreign host]
r2#
############# Now try the SCP...
r2#copy startup-config scp://192.168.1.1:2200/new.txt<UrlBlockedError.aspx>
<------------ note the port....
Address or name of remote host [192.168.1.1]? <---------- note there is no
port..that is ok....
Destination username [r2]? cisco
Destination filename [new.txt]?
Writing new.txt
Password: <enter cisco for the password>
!
723 bytes copied in 10.832 secs (67 bytes/sec)
r2#
############# now verify the copy on the "r1" router
r1#dir
Directory of flash:/
1 -rw- 723 <no date> new.txt
16777212 bytes total (16776424 bytes free)
r1#
Done.....I hope this helps....
Cody B Dumont
CISSP, CCSP, CCIP, CCNP, RSA enVision CSE, MCSE, CNE
NWN STAR - Senior Security Consultant
603.785.2665 mobile l [email protected]<UrlBlockedError.aspx>
STAR - Proactive, cost-effective security with a business focus ˆ going from
good to great!
NWN Security Blog ˆ
http://nwnsecurity.blogspot.com<http://nwnsecurity.blogspot.com/>
<http://www.twitter.com/nwnsecurity>NWN Security Twitter ˆ
http://www.twitter.com/nwnsecurity
<http://www.twitter.com/nwnsecurity>Facebook Profile -
http://www.facebook.com/kevinbfiscus
NWN STAR Facebook Page - http://www.facebook.com/NWNSTAR
________________________________
Note: This message and any attachments is intended solely for the use of the
individual or entity to which it is addressed and may contain information that
is non-public, proprietary, legally privileged, confidential, and/or exempt
from disclosure. If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in error, please
notify the original sender immediately by telephone or return email and destroy
or delete this message along with any attachments immediately.
******************************************************************************
This email contains confidential and proprietary information and is not to be
used or disclosed to anyone other than the named recipient of this email,
and is to be used only for the intended purpose of this communication.
******************************************************************************_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
