IOS: Reverse SSH Console Access

I recently needed to secure the reverse con­sole access using Cisco IOS router. Now for many years, we have been doing this over tel­net and the con­fig­ur­a­tion has been straight­for­ward. But con­fig­ur­ing it to sup­port SSH instead of tel­net is a little bit dif­fer­ent, awk­ward in fact.

Reverse Telnet

Reverse tel­net has been around for long time. The most com­mon use today is to provide access to the con­sole ports on your Cisco equip­ment in the data cen­ter so that you can con­fig­ure them in the case of a rad­ical failure.

This is easy to do. You pick a stand­ard router that has Network Module slots, pur­chase an NM-​​16A or NM-​​32A Asynchronous mod­ule. This has four unusual con­nect­ors and looks like this.

The CAB-​​OCTAL-​​ASYNC cable looks like this and the kit comes stand­ard with eight DB25 con­nect­ors which plug in to RJ45 con­nect­ors on the end of the cable. Its the RJ45 con­nect­ors that you want. You can throw the Rj45-​​DB25 con­nect­ors in the bin.

Once you put the mod­ule, and powered up you can see these lines:

lontrm01#show line summary
        0: ?... .... .... .... .... .... .... .... .UU-
       36: ---? ??-? ???? ???? ???? ???? ???? ??-U -???
       72: ???? ???? ???? ???? ???? ???? ???

   3 character mode users.           (U)
  57 lines never used.               (?)
   7 lines used, but currently idle. (-)
  32 lines do not exist.             (.)
   3 total lines in use, 0 not authenticated (lowercase)
lontrm01#

IOS alloc­ated line num­bers is a quasi ran­dom sort of way. You should refer to How Async Lines are Numbered on 3600 series Router as a start­ing point.

The easi­est way to see how the TTY lines are laid out is to install the mod­ules and do a “show line”. Remember also that mod­ules count from zero, and start on the bot­tom right, then up, and back to the bot­tom on the left and then up.

Connections

Plug the RJ45 con­nec­tion into the con­sole port of your Cisco device.

Configuring IOS for Reverse Telnet

r1#conf t
r1(config)#line 33 64
r1(config-line)#transport input telnet
r1(config-line)#no exec
r1(config-line)#^Z
r1#

Go your tel­net cli­ent —  tel­net 198.18.1.1 2033 will con­nect you to line 33, tel­net 198.18.1.1 2034 will con­nect you to line 2034.

We have con­firmed connectivity.

Reverse SSH

The SSH listener doesn’t use the same ports, we have to use rotary groups.

!generate the ssh key or
crypto key generate rsa
!some of the usual stuff for ssh
ip ssh time-out 60
ip ssh authentication-retries 4
!configure the ssh listener at port 2001 through 2127
ip ssh port 2001 rotary 1 127
ip ssh logging events
!
line 33
! set the rotary group the port belongs to, only one port per rotary group
 rotary 1
! do not allow the serial line to create spawn an exec session as this will lock the port.
!This happens when the serial line gets EMF / EMI.
 no exec
!allow SSH thread to access the port.
 transport input ssh
 transport output none
line 34
 rotary 2
 no exec
 transport input ssh
 transport output none
line 35
 rotary 3
 no exec
 transport input ssh
 transport output none
!repeat for every line

You will need to con­fig­ure your SSH cli­ent to con­nect on a non-​​standard port:

or even bet­ter at the Command Line

ssh -l gf 198.18.1.1 -p 2001

or

ssh gf@198.18.1.1 -p 2001

Each con­sole port is avail­able in ascend­ing order, thus ssh –l gf 10.216.4.10 –p 2002 will con­nect to line 34, ssh –l gf 10.216.4.10 –p 2003 will con­nect to line 35.

Clearing Lines

Sometimes a line will not be ter­min­ated cleanly and will need clear­ing. Do a show line and the aster­isk or star will show you which line is ‘in use’.

r1#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
*    33 TTY   9600/9600  -    -      1    -    -     14       0     0/0       -
*    34 TTY   9600/9600  -    -      2    -    -      3       0     0/0       -
     35 TTY   9600/9600  -    -      3    -    -      1       1     0/0       -
     36 TTY   9600/9600  -    -      4    -    -      1       0     0/0       -
-snip-
r1#clear line 33
[confirm]
 [OK]
r1#
r1#show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
     33 TTY   9600/9600  -    -      1    -    -     14       0     0/0       -
*    34 TTY   9600/9600  -    -      2    -    -      3       0     0/0       -
     35 TTY   9600/9600  -    -      3    -    -      1       1     0/0       -
     36 TTY   9600/9600  -    -      4    -    -      1       0     0/0       -

Why not use some­thing else ?

Many people use a Cyclades or some other product to do this. They are often cheaper and have high dens­ity. However, I often waste a lot of time get­ting the phys­ical cabling sor­ted out to con­nect to a Cisco con­sole port. The Cisco NM-​​16A is quick and easy solu­tion. Typically I use a 2600 or 3600 series router to be my ter­minal server, so the cost is really only for a the Asynchronous NM mod­ule and some cables.

I would also recom­mend buy­ing the CAB-​​OCTAL-​​ASYNC cable from ebay. Typically £25 versus £150 or more from Cisco resellers. The ebay ver­sion can also come in five metre lengths which is use­ful for run­ning up to your patch panel.

Conclusion

The use of reverse tel­net or SSH is vital to cre­at­ing an effect­ive lights out and hands off data centre. It is also crit­ical when build­ing an Out of Band Network Disaster net­work as this might be the only way to con­nect to net­work equip­ment in the event of meltdown.

Telnet is not suit­able because of its poor secur­ity (clear text pass­words) so SSH is a necessity.

Please let me know if I have made any typos. Would be happy to fix this up.

Postscript

I pub­lished a fol­low up to this post at http://​eth​er​e​al​mind​.com/​2​0​0​8​/​0​6​/​2​5​/​c​i​s​c​o​-​i​o​s​-​r​e​v​e​r​s​e​-​s​s​h​-​t​e​r​m​i​n​a​l​-​s​e​r​v​e​r​-​c​o​n​s​o​l​e​-​a​c​c​ess-part2/

Please rate this post:

(No Ratings Yet)

 Loading ...