Fixing SSH access on cisco via SNMP
Sometimes you may encounter a situation, when your SSH is not properly configured. In this situation you might be lucky enough to have SNMP RW community string configured. In this situation you can fix literally everything.
Download the Config via SNMP
You may download current device’s config to tftp server, edit necessary lines and upload it back. You may upload it to either running config, startup config or a flash file.
To download running config:
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a 192.168.1.252
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s config_dsw1.txt
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1
where:
- san-fran - is the community key of your cisco router.
- 192.168.1.23 - is the ip address of your Cisco device.
- 192.168.1.252 - is the ip address of your tftp server.
- config_dsw1 - is the name where the running configuration
- will be saved.
- 111 - random number
Commands Explained
1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
ccCopyProtocol: The protocol file transfer protocol:
1 - tftp
2 - ftp
3 - rcp
4 - scp
5 - sftp
1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
ccCopySourceFileType: Specifies the type of file to copy from:
1 - networkFile
2 - iosFile
3 - startupConfig
4 - runningConfig
5 - terminal
6 - fabricStartupConfig
1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
ccCopyDestFileType: specifies the type of file to copy to:
1 - networkFile
2 - iosFile
3 - startupConfig
4 - runningConfig
5 - terminal
6 - fabricStartupConfig
1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a 192.168.1.252
ccCopyServerAddress: The IP address of the TFTP server
1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s config_dsw1.txt
ccCopyFileName: The file name (including the path) of the file.
1.3.6.1.4.1.9.9.96.1.1.1.1.14.336 i 1
ccCopyEntryRowStatus: The status of this table entry. Once is set to active, the associated entry cannot be modified until
the request completes (‘successful’ or ‘failed’) The object can be:
1 - active
2 - notInService
3 - notReady
4 - createAndGo
5 - createAndWait
6 - destroy
When enter this command, the router will send the running configuration to the ftp-server!
Change the Config
If you encountered situation with SSH with no generated certificate, You config might look like this:
line vty 0 4
length 0
transport input ssh
line vty 5 15
transport input ssh
exit
You should fix it to:
line vty 0 4
length 0
transport input telnet
line vty 5 15
transport input telnet
exit
Some commands can be cancelled with “no ” statment before the command. Some, as in above case, not.
Upload the Config via SNMP
Upload it back by the following commands. Be careful! If you upload to startup-config, IOS will not merge the uploaded config and the startup one, it will replace it instead. Do not upload partial sets of commands!. To be on a safe side always I recommend to never upload partial configs. Only necessary lines should be added/cancelled/corrected and the whole config should be uploaded.
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.2.222 i 1
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.3.222 i 1
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.4.222 i 4
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.5.222 a 192.168.1.252
snmpset -c san-fran -v 2c 192.168.1.23 1.3.6.1.4.1.9.9.96.1.1.1.1.6.222 s config_dsw1.txt
where:
san-fran - is the community key of your cisco router.
192.168.1.23 - is the ip address of your Cisco device.
192.168.1.252 - is the ip address of your tftp server.
config_dsw1.txt - is the name where the running configuration will be saved.
222 - random number
Commands Explained
1.3.6.1.4.1.9.9.96.1.1.1.1.2.222 i 1
ccCopyProtocol: The protocol file transfer protocol:
1 - tftp
2 - ftp
3 - rcp
4 - scp
5 – sftp
1.3.6.1.4.1.9.9.96.1.1.1.1.3.222 i 1
ccCopySourceFileType: Specifies the type of file to copy from:
1 - networkFile
2 - iosFile
3 - startupConfig
4 - runningConfig
5 - terminal
6 - fabricStartupConfig
1.3.6.1.4.1.9.9.96.1.1.1.1.4.222 i 4
ccCopyDestFileType: specifies the type of file to copy to:
1 - networkFile
2 - iosFile
3 - startupConfig
4 - runningConfig
5 - terminal
6 - fabricStartupConfig
1.3.6.1.4.1.9.9.96.1.1.1.1.5.222 a 192.168.1.252
ccCopyServerAddress: The IP address of the TFTP server to copy the configuration file from.
1.3.6.1.4.1.9.9.96.1.1.1.1.6.222 s config_dsw1.txt
ccCopyFileName: The file name (including the path) of the file.
1.3.6.1.4.1.9.9.96.1.1.1.1.14.222 i 1
ccCopyEntryRowStatus: The status of this table entry.
Once is set to active, the associated entry cannot be modified until the request completes (‘successful’ or ‘failed’) The object can be:
1 - active
2 - notInService
3 - notReady
4 - createAndGo
5 - createAndWait
6 - destroy
Based On:
- http://tiamat.name/blogposts/fixing-ssh-access-on-cisco-via-snmp/
- http://www.ciscozine.com/send-cisco-commands-via-snmp/
- http://www.ciscozine.com/how-to-save-configurations-using-snmp/
Related Links
- http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html
- http://www.notarus.net/networking/cisco_snmp_config.html
- http://ccie20728.wordpress.com/2008/05/20/get-the-cisco-configuration-over-snmp/
- http://packetpushers.net/fixing-screwups-with-snmp-config-management
No comments:
Post a Comment