SSH username and password only option

Please paste config (minus IP specifics and passwords), and clearly identify what you are changing when it starts to not work as expected.

Unfortunately I won't be onsite until Monday. All I did was set up the Dialer0 and VLAN1, DNS and DHCP for the real lan rather than

10.10.10.1 I also added my username/pwd and removed cisco. Saved config, logged out, logged in ok. Then changed the ip of the VLAN1 expecting to lose connection. Reconfig of lan and the login was now SSH mode.

PS Is there any way of importing a previously saved config from a txt file?

Here is the FULL script. This also only prompted me for the SSH user/ pwd. If someone could let me know what line to amend/add and whether I can import this script I would be a very happy, and grateful, man!

Here is the FULL script - this also prompted me for the SSH details: !This is the running config of the router: [ROUTER IP] !---------------------------------------------------------------------------- !version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname [ROUTER NAME] ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 BLAH ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 no ip source-route no ip dhcp conflict logging ip dhcp excluded-address [LAN IP].0 [LAN IP].200 ! ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip tcp synwait-time 10 no ip bootp server ip domain name [DOMIAN NAME] ip name-server 158.152.1.58 ip name-server 158.152.1.43 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-2000297664 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2000297664 revocation-check none rsakeypair TP-self-signed-2000297664 ! ! crypto pki certificate chain TP-self-signed-2000297664 certificate self-signed 01 [CERTIFICATE HEX] quit username james privilege 15 secret 5 BLAH ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp identity dn ! crypto isakmp client configuration group [GROUP NAME] key [KEY] wins [LAN IP].200 domain [DOMAIN NAME] pool SDM_POOL_1 acl 103 pfs netmask [MASK] crypto isakmp profile VPNclient match identity group [GROUP NAME] client authentication list sdm_vpn_xauth_ml_1 isakmp authorization list sdm_vpn_group_ml_1 client configuration address respond keepalive 60 retry 5 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA set pfs group2 set isakmp-profile VPNclient reverse-route ! ! crypto map crypto_map 65535 ipsec-isakmp dynamic dynmap ! bridge irb ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ no snmp trap link-status pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no cdp enable ! interface FastEthernet1 no cdp enable ! interface FastEthernet2 no cdp enable ! interface FastEthernet3 no cdp enable ! interface Dot11Radio0 no ip address ! encryption key 2 size 128bit 7 BLAH transmit-key encryption mode wep mandatory ! ssid [SSID] authentication open ! speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 channel 2457 station-role root l2-filter bridge-group-acl no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 input-address-list 700 bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address bridge-group 1 ! interface Dialer0 description $FW_OUTSIDE$ ip address [ISP IP] [MASK] ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname [HOSTNAME] ppp chap password 7 [PWD] crypto map crypto_map ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address [ROUTER IP] [MASK] ip access-group 100 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ip local pool SDM_POOL_1 [DIFF IP] [DIFF IP +5] ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source route-map INSIDE_MAP interface Dialer0 overload ! logging trap debugging access-list 1 remark MANAGEMENT ACCESS! access-list 1 permit [LAN IP].22 access-list 100 remark Inside interface ACL access-list 100 deny ip 80.0.0.0 0.255.255.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 102 remark Dialer interface firewall access-list 102 permit udp host 158.152.1.43 eq domain host [ISP IP] access-list 102 permit udp host 158.152.1.58 eq domain host [ISP IP] access-list 102 deny ip [LAN IP].0 0.0.0.255 any access-list 102 permit icmp any host [ISP IP] echo-reply access-list 102 permit icmp any host [ISP IP] time-exceeded access-list 102 permit icmp any host [ISP IP] unreachable access-list 102 permit udp any host [ISP IP] eq isakmp access-list 102 permit udp any host [ISP IP] eq non500-isakmp access-list 102 permit esp any host [ISP IP] access-list 102 deny ip 10.0.0.0 0.255.255.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip host 0.0.0.0 any access-list 102 deny ip any any log access-list 103 remark EzVPNclient route access-list 103 permit ip [LAN IP].0 0.0.0.255 any access-list 104 deny ip [LAN IP].0 0.0.0.255 [DIFF IP].0 0.0.0.255 access-list 104 permit ip [LAN IP].0 0.0.0.255 any access-list 105 remark Dialer interface firewall with remote access access-list 105 permit udp host 158.152.1.43 eq domain host [ISP IP] access-list 105 permit udp host 158.152.1.58 eq domain host [ISP IP] access-list 105 deny ip [LAN IP].0 0.0.0.255 any access-list 105 permit tcp host 217.35.96.225 host [ISP IP] eq 22 access-list 105 permit icmp any host [ISP IP] echo-reply access-list 105 permit icmp any host [ISP IP] time-exceeded access-list 105 permit icmp any host [ISP IP] unreachable access-list 105 permit udp any host [ISP IP] eq isakmp access-list 105 permit udp any host [ISP IP] eq non500-isakmp access-list 105 permit esp any host [ISP IP] access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 700 permit 0001.e694.aa0a 0000.0000.0000 access-list 700 permit 0030.6ed1.32d3 0000.0000.0000 dialer-list 1 protocol ip permit no cdp run route-map INSIDE_MAP permit 10 match ip address 104 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 1 in exec-timeout 0 0 logging synchronous transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

This is your issue: transport input telnet ssh under line vty 0 4

When you configure vlan 1, I presume you are on console, and then you tried to telnet to your new IP? If this is the case, your telnet session is line vty 0 4 and not console, and therefore would go under SSH based on your config.

When config the vlan1 I was linked by my ethernet cable directly into the router. No other connections to router from switches. I used SDM as I'm not too familiar with the commands under telnet. The SDM opens IE and then prompts me for username/pwd. When amending the IP I still try and connect the same way using SDM. Hope this helps. If it is that line of script - how do I change it and what should I change it to please? Is there a weblink to a doc that can help me with the telnet commands? Thanks.

!----------------------------------------------------------------------------

config t line vty 0 4 no transport input telnet ssh

Of course your other option is to setup SSH which would be more secure. What ver of code/IOS are you running and I'll find you a guide? The long answer is that there will be command guides for each IOS, but various technologies and features will have guides of their own to explain the technology and the configuration parameters. In this case you probably want to go line by line with someone who is experienced, and have them explain what each command is doing, or more importantly, what each section of commands is doing.

e:

Just to be safe, add 'transport input telnet' after the no command I pasted above, but before logging out.

ote:

Thanks a lot. I'll let you know on Monday what ver the IOS is. Thanks again, I feel that I will soon be able to understand most of this...

ok, ios is 12.4(6)T4

made sure ssh was not in script but it has still asked for it under sdm login. The script above is the final script, I will try and send script before I change ip. Bit tricky as I am working on the only router! Ps it blocked telnet completely.

I've had it. Your CJD failed. Added a MGM't CJD and got on ok until another config change erased it. I did not have this issue when I first config'd it. Before I buy better to manage box how do I set up SSH?