XMODEM TO LOAD SWITCH & ROUTER IOS

Xmodem can be used on a group of routers and is used in disaster recovery situations where the router has no valid Cisco IOS software or bootflash image to boot from and hence, only boots up in ROMmon. This procedure can also be used where there are no Trivial File Transfer Protocol (TFTP) servers or network connections, and a direct PC connection (or through a modem connection) to the router's console is the only viable option. Because this procedure relies on the console speed of the router and the serial port of the PC, it can take a long time to download an image. For example, downloading Cisco IOS Software Release 12.1(16) IP Plus image to a Cisco 1600 series router using a speed of 38400 bps takes approximately 25 minutes.

Usage

Here is the command syntax for xmodem.

xmodem [-c] [-y] [-e] [-f] [-r] [-x] [-s data-rate]

The following table describes the command syntax for the xmodem command.

syntax	Description
-c	(Optional) CRC-16 checksumming, which is more sophisticated and thorough than standard checksumming.
-y	(Optional) Uses the Ymodem protocol for higher throughput.
-e	(Optional) Erases the first partition in Flash memory before starting the download. This option is only valid for the Cisco 1600 series.
-f	(Optional) Erases all Flash memory before starting the download. This option is only valid for the Cisco 1600 series routers.
-r	(Optional) Downloads the file to DRAM. The default is Flash memory.
-x	(Optional) Does not execute the Cisco IOS software image on completion of the download.
-s data-rate	(Optional) Sets the console port's data rate during file transfer. Values are 1200, 2400, 4800, 9600, 19200, 38400, and 115200 bps. The default rate is specified in the configuration register. This option is only valid for the Cisco 1600 series routers.
*filename*	(Optional) Filename to copy. This argument is ignored when the -r keyword is specified since only one file can be copied to DRAM. On the Cisco 1600 series routers, files are loaded to the ROMmon for execution.

Note xmodem options e, f, and s are only supported on the Cisco 1600 series routers. To find out the syntax and available options to use with the xmodem command, type xmodem -? at the ROMmon prompt.

Here's an example of the xmodem command issued on a Cisco 1603 router:

rommon 9 >xmodem -?
usage: xmodem [-cyrxefs]
-c CRC-16
-y ymodem-batch protocol
-r copy image to dram for launch
-x do not launch on download completion
-f Perform full erase of flash
-e Perform erase of first flash partition
-sSet speed of Download, where speed may be
1200|2400|4800|9600|19200|38400|115200

Here's an example of the xmodem command issued on a Cisco 2620 router:

rommon 1 >xmodem -?
xmodem: illegal option -- ?
usage: xmodem [-cyrx]
-c CRC-16
-y ymodem-batch protocol
-r copy image to dram for launch
-x do not launch on download completion

Examples

rommon 12 > xmodem -cfs115200 c1600-sy-mz.121-16.bin
rommon 2 > xmodem -c c2600-is-mz.122-10a.bin

Note The xmodem transfer only works on the console port. You can only download files to the router. You cannot use xmodem to get files from the router.

Note It is also important to note that the -sdata-rate option is only available on the Cisco 1600 series routers and was implemented to overcome the console baud rate limitation of 9600 bps. By specifying -sdata-rate of 115200 bps for example, you can increase the download rate and hence, reduce download time. Other Cisco routers support console speeds up to 115200 bps. Therefore, the -sdata-rate option is not required.

Note Ensure that the PC serial port is using a 16550 universal asynchronous transmitter/receiver (UART) if you're downloading a Cisco IOS software image through the router's console speed at 115200. If the PC serial port is not using a 16550 UART, it is recommended that you use a speed of 38,400 or lower.

Xmodem Procedure for Downloading a Cisco IOS Software Image onto a Cisco 1603 Router

Use the following xmodem procedure to download a Cisco IOS software image onto a Cisco 1603 router.
Step 1 Launch a terminal emulator program.

In the following example, configure Windows HyperTerminal for 8-N-1 at 9600 bps and connect your PC's serial port to the console port of the router. Once connected, you need to get into the ROMmon prompt (rommon 1>). Typically, if the router's Cisco IOS software image and bootflash image are both corrupt, the router only comes up in ROMmon mode. If the former is not true and you need to get into the ROMmon prompt, you need to change the configuration register (typically 0x2102 as given by show version) to 0x0 as follows:

1600#configure term
Enter configuration commands, one per line. End with CNTL/Z.
1600(config)#configure
1600(config)#config-register 0x0
1600(config)#^Z
1600#
00:22:06: %SYS-5-CONFIG_I: Configured from console by console
1600#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
00:22:16: %SYS-5-RELOAD: Reload requested
System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.

Simm with parity detected, ignoring onboard DRAM
C1600 platform with 16384 Kbytes of main memory
rommon 1 >

Step 2 From the ROMmon prompt, issue the xmodem command. However, before issuing the xmodem command, ensure that you have the new Cisco IOS software image on your PC.

In this example, all Flash memory is erased before downloading using the f option (only on the Cisco 1600 series). Perform a CRC-16 checksum using the c option and using a download speed of 115200 bps (only on the Cisco 1600 series) by specifying -s115200:

rommon 12 >xmodem -cfs115200 c1600-sy-mz.121-16.bin
Do not start the sending program yet...

Note If the console port is attached to a modem, both the console port and the modem must be operating at the same baud rate.

Use console speed 115200 bps for download [confirm]
File size Checksum File name

1957444 bytes (0x1dde44) 0xe345 c1600-y-mz.113-9.T

Erasing flash at 0x83f0000 no partition 2 on device: PCMCIA slot 1

Ready to receive file c1600-sy-mz.121-16.bin ...
Download will be performed at 115200.
make sure your terminal emulator is set to
this speed before sending file. All existing files in the partition displayed and files in any other partitions on this device will be lost!
Continue ? press 'y' for yes, 'n' for no:y

Step 3 Configure the terminal emulator program for a data rate of 115200 bps to match the xmodem speed specified above. This is done by closing the previous terminal session of 9600 bps and opening a new one at 115200 with 8-N-1. The trick here is that the Cisco 1603 only supports a maximum baud rate of 9600 bps. Therefore, when connecting at 115200 bps, you won't be able to see the router prompt. This is an important point to remember. Once connected to the router at 115200 bps, select from the HyperTerminal menu bar.

Figure 1: Choosing Transfer > Send File...

Step 4 Specify the image file name and location and enter xmodem as the Protocol.

Figure 2: Send File Dialog

Step 5 Click on Send to start the transfer.

Figure 3: File Progress Dialog

The following message is received when the transfer is complete:

Download Complete!
Returning console speed to 9600
Please reset your terminal emulator to this speed...

Step 6 Per the message above, you need to exit your 115200 bps HyperTerminal session and restart a new one at 9600 bps. Once connected, the router's ROMmon prompt appears. Verify that the download was successful by issuing a dir flash:.

rommon 9 >dir flash:
File size Checksum File name
3686656 bytes (0x384100) 0x1a5e c1600-sy-mz.121-16.bin

Step 7 Change the config register back to 0x2102 and reset or power cycle the router so that the new Cisco IOS software image gets loaded.

rommon 10 >confreg 0x2102

You must reset or power cycle for new config to take effect.

rommon 11 >reset
System Bootstrap, Version 12.0(19981130:173850) [rameshs-120t_lava 114],
DEVELOPMENT SOFTWARE Copyright (c) 1994-1998 by cisco Systems, Inc.
Simm with parity detected, ignoring onboard DRAM
C1600 platform with 16384 Kbytes of main memory
program load complete, entry point: 0x4020060, size: 0x15568c
%SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader.
program load complete, entry point: 0x2005000, size: 0x3840e0

Self decompressing the image : ########################################
################

IPTABLES IN LINUX

Introduction

It is commonly known that netfilter/iptables is the firewall of the Linux operating system. What is not commonly known is that iptables has many hidden gems that can allow you do things with your firewall that you might never have even imagined. In this article I am going to introduce many of these features with some practical uses. If you are not au fait with the basics of iptables then you should read my previous article in the Gazette.

The following features are discussed:

Specifying multiple ports in one rule
Load balancing
Restricting the number of connections
Maintaining a list of recent connections to match against
Matching against a string in a packet's data payload
Time-based rules
Setting transfer quotas
Packet matching based on TTL values

All of the features discussed in this article are extensions to the packet matching modules of iptables. I used only two of these extensions in the previous article: the --state module which allowed us to filter packets based on whether they were NEW, ESTABLISHED, RELATED or INVALID connections; and the multiport extension, of which I will go into more detail on in this article.

Some of the modules introduced in this article (marked with an asterisk) have not made their way into the default Linux kernel yet but a netfilter utility called "patch-o-matic" can be used to add them to your own kernel and this will be discussed at the end of the article.

1. Specifying Multiple Ports with multiport

The multiport module allows one to specify a number of different ports in one rule. This allows for fewer rules and easier maintenance of iptables configuration files. For example, if we wanted to allow global access to the SMTP, HTTP, HTTPS and SSH ports on our server we would normally use something like the following:

-A INPUT -i eth0 -p tcp -m state --state NEW --dport ssh -j ACCEPT

-A INPUT -i eth0 -p tcp -m state --state NEW --dport smtp -j ACCEPT

-A INPUT -i eth0 -p tcp -m state --state NEW --dport http -j ACCEPT

-A INPUT -i eth0 -p tcp -m state --state NEW --dport https -j ACCEPT

Using the multiport matching module, we can now write:

-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT

It must be used in conjunction with either -p tcp or -p udp and only up to 15 ports may be specified. The supported options are:

--sports port[,port,port...]

matches source port(s)

--dports port[,port,port...]

matches destination port(s)

--ports port[,port,port...]

matches both source and destination port(s)

mport^* is another similar extension that also allows you to specify port ranges, e.g. --dport 22,80,6000:6100.

2. Load Balancing with random^* or nth^*

Both the random and nth extensions can be used for load balancing. If, for example, you wished to balance incoming web traffic between four mirrored web servers then you could add either of the following rule sets to your nat table:

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 \

-j DNAT --to-destination 192.168.0.5:80

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 1 \

-j DNAT --to-destination 192.168.0.6:80

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 2 \

-j DNAT --to-destination 192.168.0.7:80

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 3 \

-j DNAT --to-destination 192.168.0.8:80

or:

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \

-j DNAT --to-destination 192.168.0.5:80

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \

-j DNAT --to-destination 192.168.0.6:80

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \

-j DNAT --to-destination 192.168.0.7:80

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW \

-j DNAT --to-destination 192.168.0.8:80

The nth matching extension allows you to match the nth packet received by the rule. There are up to 16 (0...15) counters for matching the nth packets. The above four (nth) rules use counter 0 to count every 4th packet. Once the 4th packet is received, the counter is reset to zero. The first rule matches the 1st packet (--packet 0) of every four counted, the second rule matches the 2nd packet (--packet 0), and so on.

The random matching extension allows you to match packets based on a given probability. The first rule from the set of random rules above matches 25% (--average 25) of the TCP connections to port 80 and redirects these to the first mirrored web server. Of the 75% of connections not matching on the first rule, 25% will match the second and a further 25% will match the third. The remaining 25% will be caught by the fourth rule.

Another use of the random extension would be to simulate a faulty network connection to evaluate the performance of networking hardware/software, etc.

3. Restricting the Number of Connections with limit and iplimit^*

The limit matching extension can be used to limit the number of times a rule matches in a given time period while the iplimit extension can restrict the number of parallel TCP connections from a particular host or network. These extensions can be used for a variety of purposes:

to protect against DOS (denial of service) attacks such as preventing a flood of HTTP requests to your web server while ensuring all your customers have unlimited access;
to prevent a brute-force attack to guess passwords;
to limit Internet usage by staff during working hours;
and many many more.

Let's take the case where we want to limit the Internet usage of our employees during working hours. We could use a rule like:

-A FORWARD -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \

-m limit --limit 50/hour --limit-burst 5 -j ACCEPT

This rule assumes that we are acting as a proxy server where the external connection is via eth0 and eth1 connects to our office network. The rule limits all of our internal computers to only 50 new HTTP or HTTPS connections per hour and the use of --limit-burst prevents any one employee from using up all 50 in one go. Packets can be matched /day, /hour, /minute or /sec.

The --limit-burst parameter can be quite confusing at first. In the above example, it will ensure that if all employees are trying to access the Internet throughout the hour then only 5 connections are made every 5 minutes. If 30 minutes pass with no connections and then there is a sudden rush for the remaining 30 minutes, only 5 connections will be permitted every 2.5 minutes. I once heard it explained as follows:

For every limit rule, there's a "bucket" containing "tokens". Whenever the rule matches, a token is removed and when the token count reaches zero, the rule doesn't match anymore.

--limit is the bucket refill rate.
--limit-burst is the bucket size (number of tokens that it can hold).

The iplimit extension allows us to restrict the number of parallel TCP connections from a particular host or network. If, for example, we wanted to limit the number of HTTP connections made by any single IP address to 5 we could use:

-A INPUT -p tcp -m state --state NEW --dport http -m iplimit --iplimit-above 5 -j DROP

4. Maintaining a List of recent Connections to Match Against

By using the recent extension one can dynamically create a list of IP addresses that match a rule and then match against these IPs in different ways later. One possible use would be to create a "temporary" bad-guy list by detecting possible port scans and to then DROP all other connections from the same source for a given period of time

Port 139 is one of the most dangerous ports for Microsoft Windows® users as it is through this port that the Windows file and print sharing service runs. This also makes this port one of the first scanned by many port scanners or potential hackers and a target for many of the worms around today. We can use the recent matching extension to temporarily block any IP from connecting with our machine that scans this port as follows:

-A FORWARD -m recent --name portscan --rcheck --seconds 300 -j DROP

-A FORWARD -p tcp -i eth0 --dport 139 -m recent --name portscan --set -j DROP

Now anyone trying to connect to port 139 on our firewall will have all of their packets dropped until 300 seconds has passed. The supported options include:

--name name

The name of the list to store the IP in or check it against. If no name is given then DEFAULT will be used

--set

This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry.

--rcheck

This will check if the source address of the packet is currently in the list.

--update

This will check if the source address of the packet is currently in the list. If it is then that entry will be updated and the rule will return true.

--remove

This will check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true.

--seconds seconds

This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.

--hitcount hits

This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with `seconds' to create an even narrower match requiring a certain number of hits within a specific time frame.

5. Matching Against a string^* in a Packet's Data Payload

The string extension allows one to match a string anywhere in a packet's data payload. Although this extension does have many valid uses, I would strongly advise caution. Let's say, for example, that our Linux firewall is protecting an internal network with some computers running Microsoft Windows® and we would like to block all executable files. We might try something like:

-A FORWARD -m string --string '.com' -j DROP

-A FORWARD -m string --string '.exe' -j DROP

This has a number of problems:

if the '.com' or '.exe' is split across two packets it will not be matched
if any packet being transmitted contains either of the stings it will be dropped; this includes any packets from a web page containing those strings, from an e-mail transmission, etc

6. Time-based Rules with time^*

We can match rules based on the time of day and the day of the week using the time module. This could be used to limit staff web usage to lunch-times, to take each of a set of mirrored web servers out of action for automated backups or system maintenance, etc. The following example allows web access during lunch hour:

-A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \

-m time --timestart 12:30 --timestop 13:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

Clearly the start and stop times are 24-hour with the format HH:MM. The day is a comma-separated list that is case sensitive and made up of Mon, Tue, Wed, Thu, Fri, Sat and/or Sun.

7. Setting transfer quotas with quota^*

Setting transfer quotas can be very useful in many situations. As an example, a lot of broadband users will have download quotas set for them by their ISP and many may charge extra for every megabyte transferred in excess of this quota. You can use iptables to monitor your usage and cut you off when you reach your quota (say 2GB) with a rule similar to the following:

-A INPUT -p tcp -m quota --quota 2147483648 -j ACCEPT

-A INPUT -j DROP

You can then view your usage with the following command:
$ iptables -v -L

You would also need to reset the quota every month manually (by restarting iptables) or with a cron job. Clearly your computer would need to be 'always-on' for this example to be of any use, but there are also any other situations where the quota extension would be useful.

8. Packet Matching Based on TTL Values

The TTL (Time-To-Live) value of a packet is an 8-bit number that is decremented by one each time the packet is processed by an intermediate host between its source and destination. The default value is operating system dependant and usually ranges from 32 to 128. Its purpose includes ensuring that no packet stays in the network for an unreasonable length of time, gets stuck in an endless loop because of bad routing tables, etc. Once the TTL value of a packet reaches 0 it is discarded and a message is sent to its source which can decide whether or not to resend it.

As an interesting aside: this is actually how the traceroute command works. It sends a packet to the destination with a TTL of 1 first and gets a reply from the first intermediate host. It then sends a packet with a TTL of 2 and receives a reply from the second intermediate host and so on until it reaches its destination.

The usefulness of packet matching based on TTL value depends on your imagination. One possible use is to identify "man-in-the-middle" attacks. If you regularly connect from home to work you could monitor your TTL values and establish a reasonable maximum value at the receiving end. You can the use this to deny any packets that arrive with a higher TTL value as it may indicate a possible "man-in-the-middle" attack; someone intercepting your packets, reading/storing them and resending them onto the destination. There are of course "man-in-the-middle" methods that wouldn't alter the TTL value but, as always, security is never absolute, only incremental. TTL matching could also be used for network debugging or to find hosts with bad default TTL values.

As a simple example, let's reject all packets from a specific IP with a TTL of less than 40:

-A INPUT -s 1.2.3.4 -m ttl --ttl-lt 40 -j REJECT

You can also check for TTL values that are less than (--ttl-gt) or equal to (--ttl-eq) a particular value.

Patching Your Kernel with Patch-O-Matic (POM)

Some of the newer features introduced in this article are not considered stable enough by the netfilter development team for inclusion in the current Linux kernel. To use these you will need to patch your kernel using a utility called patch-o-matic. This is not for the faint of heart and I am not going to provide step-by-step instructions here. I will simply cover patch-o-matic and provide references to more information.

Patch-o-matic can be downloaded from the netfilter homepage, http://www.netfilter.org/. You will also need the source code for your kernel (if you are using a kernel supplied with your distribution, install the kernel-source package or install a new kernel by downloading the latest kernel source code from http://www.kernel.org/) and the source code for iptables which you can also download from the netfilter homepage. Once you have these, unpack them and execute the runme script from patch-o-matic as follows:
$ KERNEL_DIR= IPTABLES_DIR= ./runme extra

The script describes each new extension and asks whether or not to patch the kernel for it. Once that is finished you will need to recompile the kernel, the netfilter kernel modules and the iptables binaries. This is outside the scope of this article but you will find useful information on the following sites:

Iptables Restricting Access By Time Of The Day

by LinuxTitli · 4 comments

Recently I was asked to control access to couple of services based upon day and time. For example ftp server should be only available from Monday to Friday between 9 AM to 6 PM only. It is true that many services and daemons have in built facility for day and time based access control. For example xinetd offers data and time based access control. Iptables also allows such control via time patch/module. It matches if the packet arrival time/date is within a given range. This is very handy when you want a service to be available only at certain times of day or even certain days.
General syntax:

iptables RULE -m time --timestart TIME --timestop TIME --days DAYS -j ACTION

Where,

--timestart TIME : Time start value . Format is 00:00-23:59 (24 hours format)
--timestop TIME : Time stop value.
--days DAYS : Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)

An example
Suppose you would like to allow incoming ssh access only available from Monday to Friday between 9 AM to 6. Then you need to use iptables as follows:
Input rule:

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 202.54.1.20 --dport 22 -m state --state NEW,ESTABLISHED -m time --timestart 09:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

Output rule:

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -m time --timestart 09:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

References:

Please note time module is not part of standard kernel, you need to download and apply patch from Patch-O-Matic
Read iptables man page for more information.

RECOVER IOS ROMMON MODE

IP_ADDRESS=10.1.1.10 <- Router ip address
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=10.1.1.1 <- Give any random IP ( make sure its not in use :-) )
TFTP_SERVER=10.1.1.23 <- IP of tftp server
TFTP_FILE=c2800-xxxxxxxxxxx.bin
tftpdnld

Now remember, 10.1.1.10 will be given to FIRST interface of router which if i am not wrong is either Fa0/0 or Gig0/0. Kindly confirm it, i think its Fa0/0, so you must connect the cable on this interface for this procedure to work. So the steps will be, first connect Fa0/0 to your tftp server (directly or through switch) and then paste the above configs.

Let me know if there is any issue

SSH TO ROUTER

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices.
Communication between the client and server is encrypted in both SSH version 1 and SSH version 2.
Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
This document discusses how to configure and debug SSH on Cisco routers or switches that run a version of
Cisco IOS® Software that supports SSH. This document contains more information on specific versions and
software images.

Components Used
The information in this document is based on Cisco IOS 3600 Software (C3640−IK9S−M), Release
12.2(2)T1.
SSH was introduced into these IOS platforms and images:
SSH Version 1.0 (SSH v1) server was introduced in some IOS platforms and images starting in Cisco
IOS Software Release 12.0.5.S.
·
SSH client was introduced in some IOS platforms and images starting in Cisco IOS Software Release
12.1.3.T.
·
SSH terminal−line access (also known as reverse−Telnet) was introduced in some IOS platforms and
images starting in Cisco IOS Software Release 12.2.2.T.
·
SSH Version 2.0 (SSH v2) support was introduced in some IOS platforms and images starting in
Cisco IOS Software Release 12.1(19)E.
·
Refer to How to Configure SSH on Catalyst Switches Running CatOS for information on SSH
support in the switches.
·
Refer to the Software Advisor ( registered customers only) for a complete list of feature sets supported in different
Cisco IOS Software releases and on different platforms.
The information presented in this document was created from devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If you are in a live network, make
sure that you understand the potential impact of any command before you use it.

Authentication Test without SSH
First test the authentication without SSH to make sure that authentication works with the router Carter before
you add SSH. Authentication can be with a local username and password or with an authentication,
authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the
line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into
the router with username "cisco" and password "cisco."
!−−− The aaa new−model command causes the local username and password on the router
!−−− to be used in the absence of other AAA statements.
aaa new−model
username cisco password 0 cisco
line vty 0 4
transport input telnet
!−−− Instead of aaa new−model, you can use the login local command.
Authentication Test with SSH
In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on
Carter and test SSH from the PC and UNIX stations.
ip domain−name rtp.cisco.com
!−−− Generate an SSH key to be used with SSH.
cry key generate rsa
ip ssh time−out 60
ip ssh authentication−retries 2
At this point, the show cry key mypubkey rsa command must show the generated key. After you add the
SSH configuration, test your ability to access the router from the PC and UNIX station. If this does not work,
see the debug section of this document.
Optional Configuration Settings
Prevent Non−SSH Connections
If you want to prevent non−SSH connections, add the transport input ssh command under the lines to limit
the router to SSH connections only. Straight (non−SSH) Telnets are refused.
line vty 0 4
!−−− Prevent non−SSH Telnets.
transport input ssh
Test to make sure that non−SSH users cannot Telnet to the router Carter.
Set Up an IOS Router or Switch as SSH Client
There are four steps required to enable SSH support on an IOS router:
1. Configure the hostname command.
2. Configure the DNS domain.
3. Generate the SSH key to be used.
4. Enable SSH transport support for the virtual type terminal (vtys).
If you want to have one device act as an SSH client to the other, you can add SSH to a second device called
Reed. These devices are then in a client−server arrangement, where Carter acts as the server, and Reed acts as
the client. The IOS SSH client configuration on Reed is the same as required for the SSH server configuration
on Carter.
!−−− Step 1: Configure the hostname if you have not previously done so.
hostname carter
!−−− The aaa new−model command causes the local username and password on the router
!−−− to be used in the absence of other AAA statements.
aaa new−model
username cisco password 0 cisco
!−−− Step 2: Configure the DNS domain of the router.
ip domain−name rtp.cisco.com
!−−− Step 3: Generate an SSH key to be used with SSH.
cry key generate rsa
ip ssh time−out 60
ip ssh authentication−retries 2
!−−− Step 4: By default the vtys' transport is Telnet. In this case,
!−−− Telnet is disabled and only SSH is supported.
line vty 0 4
transport input SSH
!−−− Instead of aaa new−model, you can use the login local command.
Issue this command to SSH from the IOS SSH client (Reed) to the IOS SSH server (Carter) in order to test
this:
SSH v1:
ssh −l cisco −c 3des 10.13.1.99
·
SSH v2:
ssh −v 2 −c aes256−cbc −m hmac−sha1−160 −l cisco 10.31.1.99
·
Add SSH Terminal−Line Access
If you need outbound SSH terminal−line authentication, you can configure and test SSH for outbound reverse
Telnets through Carter, which acts as a comm server to Philly.
ip ssh port 2001 rotary 1
line 1 16
no exec
rotary 1
transport input ssh
exec−timeout 0 0
modem In Out
Stopbits 1
If Philly is attached to Carter's port 2, then you can configure SSH to Philly through Carter from Reed with
the help of this command:
SSH v1:
ssh −c 3des −p 2002 10.13.1.99
·
SSH v2:
ssh −v 2 −c aes256−cbc −m hmac−sha1−160 −p 2002 10.31.1.99
·
You can use this command from Solaris:
ssh −c 3des −p 2002 −x −v 10.13.1.99
Configure the SSH Version
Configure SSH v1:
carter (config)#ip ssh version 1
Configure SSH v2:
carter (config)#ip ssh version 2
Configure SSH v1 and v2:
carter (config)#no ip ssh version

RECOVER YOUR ROUTER PASSWORD

Router>enable
Password:
Password:
Password:
% Bad secrets

Router>show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team

System returned to ROM by power-on
System image file is “c2800nm-advipservicesk9-mz.124-15.T1.bin”

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco 2811 (MPC860) processor (revision 0×200) with 60416K/5120K bytes of memory
Processor board ID JAD05190MTZ (4292891495)
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
239K bytes of NVRAM.
62720K bytes of processor board System flash (Read/Write)

Configuration register is 0×2102

Router>

Just remember the current cisco router register number “2102“, after that, on and off your cisco router, press crtl + backspace + break to enter the NVram

Self decompressing the image :
######################
monitor: command “boot” aborted due to user interrupt
rommon 1 > confreg 2142
rommon 2 > reset
System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
cisco 2811 (MPC860) processor (revision 0×200) with 60416K/5120K bytes of memory

Self decompressing the image :
#######################

What is Rommon? it stand for ROM Monitor, we require to enter rommon to change the register number, when you enter rommon 1> follow above code in bold, type in confreg 2142, After that type in “reset” or reboot the cisco router, once reboot you are actually enter the router which the register number is 2142 you can just set the password exactly same with cisco router basic configuration step

Router>ena
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ena password newpass
Router(config)#ena secret newsec
Router(config)#config-register ox2102
Router(config)#exit
Router#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team

System returned to ROM by power-on
System image file is “c2800nm-advipservicesk9-mz.124-15.T1.bin”

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Configuration register is 0x2142 (will be 0×2102 at next reload)

Router#copy run start
Destination filename [startup-config]?
Building configuration…
[OK]
Router#reload

Reload mean reboot the router, after reboot the router, you can access with the new password already. This is how we reset cisco router password, some said hack cisco router login password , but this is the correct way to recover password for cisco router.