IOS: Reverse SSH Console Access

I recently needed to secure the reverse console access using Cisco IOS router. Now for many years, we have been doing this over telnet and the configuration has been straightforward. But configuring it to support SSH instead of telnet is a little bit different, awkward in fact.

Reverse Telnet

Reverse telnet has been around for long time. The most common use today is to provide access to the console ports on your Cisco equipment in the data center so that you can configure them in the case of a radical failure.

This is easy to do. You pick a standard router that has Network Module slots, purchase an NM-16A or NM-32A Asynchronous module. This has four unusual connectors and looks like this.

The CAB-OCTAL-ASYNC cable looks like this and the kit comes standard with eight DB25 connectors which plug in to RJ45 connectors on the end of the cable. Its the RJ45 connectors that you want. You can throw the Rj45-DB25 connectors in the bin.

Once you put the module, and powered up you can see these lines:

lontrm01#show line summary
        0: ?... .... .... .... .... .... .... .... .UU-
       36: ---? ??-? ???? ???? ???? ???? ???? ??-U -???
       72: ???? ???? ???? ???? ???? ???? ???

   3 character mode users.           (U)
  57 lines never used.               (?)
   7 lines used, but currently idle. (-)
  32 lines do not exist.             (.)
   3 total lines in use, 0 not authenticated (lowercase)
lontrm01#

IOS allocated line numbers is a quasi random sort of way. You should refer to How Async Lines are Numbered on 3600 series Router as a starting point.

The easiest way to see how the TTY lines are laid out is to install the modules and do a “show line”. Remember also that modules count from zero, and start on the bottom right, then up, and back to the bottom on the left and then up.

Connections

Plug the RJ45 connection into the console port of your Cisco device.

Configuring IOS for Reverse Telnet

r1#conf t
r1(config)#line 33 64
r1(config-line)#transport input telnet
r1(config-line)#no exec
r1(config-line)#^Z
r1#

Go your telnet client - telnet 198.18.1.1 2033 will connect you to line 33, telnet 198.18.1.1 2034 will connect you to line 2034.

We have confirmed connectivity.

Reverse SSH

The SSH listener doesn’t use the same ports, we have to use rotary groups.

!generate the ssh key or
crypto key generate rsa
!some of the usual stuff for ssh
ip ssh time-out 60
ip ssh authentication-retries 4
!configure the ssh listener at port 2001 through 2127
ip ssh port 2001 rotary 1 127
ip ssh logging events
!
line 33
! set the rotary group the port belongs to, only one port per rotary group
 rotary 1
! do not allow the serial line to create spawn an exec session as this will lock the port.
!This happens when the serial line gets EMF / EMI.
 no exec
!allow SSH thread to access the port.
 transport input ssh
 transport output none
line 34
 rotary 2
 no exec
 transport input ssh
 transport output none
line 35
 rotary 3
 no exec
 transport input ssh
 transport output none
!repeat for every line

You will need to configure your SSH client to connect on a non-standard port:

or even better at the Command Line

ssh -l gf 198.18.1.1 -p 2001

or

ssh gf@198.18.1.1 -p 2001

Each console port is available in ascending order, thus ssh -l gf 10.216.4.10 -p 2002 will connect to line 34, ssh -l gf 10.216.4.10 -p 2003 will connect to line 35.

Clearing Lines

Sometimes a line will not be terminated cleanly and will need clearing. Do a show line and the asterisk or star will show you which line is ‘in use’.

r1#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
*    33 TTY   9600/9600  -    -      1    -    -     14       0     0/0       -
*    34 TTY   9600/9600  -    -      2    -    -      3       0     0/0       -
     35 TTY   9600/9600  -    -      3    -    -      1       1     0/0       -
     36 TTY   9600/9600  -    -      4    -    -      1       0     0/0       -
-snip-
r1#clear line 33
[confirm]
 [OK]
r1#
r1#show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
     33 TTY   9600/9600  -    -      1    -    -     14       0     0/0       -
*    34 TTY   9600/9600  -    -      2    -    -      3       0     0/0       -
     35 TTY   9600/9600  -    -      3    -    -      1       1     0/0       -
     36 TTY   9600/9600  -    -      4    -    -      1       0     0/0       -

Why not use something else ?

Many people use a Cyclades or some other product to do this. They are often cheaper and have high density. However, I often waste a lot of time getting the physical cabling sorted out to connect to a Cisco console port. The Cisco NM-16A is quick and easy solution. Typically I use a 2600 or 3600 series router to be my terminal server, so the cost is really only for a the Asynchronous NM module and some cables.

I would also recommend buying the CAB-OCTAL-ASYNC cable from ebay. Typically £25 versus £150 or more from Cisco resellers. The ebay version can also come in five metre lengths which is useful for running up to your patch panel.

Conclusion

The use of reverse telnet or SSH is vital to creating an effective lights out and hands off data centre. It is also critical when building an Out of Band Network Disaster network as this might be the only way to connect to network equipment in the event of meltdown.

Telnet is not suitable because of its poor security (clear text passwords) so SSH is a necessity.

Please let me know if I have made any typos. Would be happy to fox this up.

Postscript

I published a follow up to this post at http://etherealmind.com/2008/06/25/cisco-ios-reverse-ssh-terminal-server-console-access-part2/