10-10-2018 06:00 PM - edited 03-03-2019 08:54 AM
How to configure a Cisco 2811 2800 Series Router using a NM-16A or NM-32A Async Module as a Terminal Server
Please let me know if there is anything I need to correct. I'm posting this to help others and to grow my own skills. The examples below are using the NM-16A and a 2811 Router you may need to make adjustments for your particular hardware.
Router>enable
Router#configure terminal
Router(config)#hostname Termserver
Termserver(config)#interface FastEthernet 0/0
Termserver(config-if)#ip address 192.168.111.31 255.255.255.0
Termserver(config-if)#no shutdown
Termserver(config-if)#exit
Termserver(config)#line vty 0 15
Termserver(config-line)#password YourTelnetPassword
Termserver(config-line)#logging synchronous
Termserver(config-line)#login
Termserver(config-line)#exec-timeout 15 0
Termserver(config-line)#exit
Termserver(config)#interface loopback 0
Termserver(config-if)#ip address 192.168.10.10 255.255.255.0
Termserver(config-if)#exit
Termserver(config)#line 1/0 1/15
Termserver(config-if)#transport input telnet
Termserver(config-if)#exit
Termserver(config)#interface Group-Async 0
Termserver(config-if)#no ip add
Termserver(config-if)#encapsulation slip
Termserver(config-if)#group-range 1/0 1/15
Termserver(config-if)#exit
Termserver(config)#enable secret YourSecretPassword
Termserver(config)#service password-encryption
Termserver(config)#^Z
Termserver#copy running-config startup-config
WARNING:This is not the most secure connection. Do not use telnet outside of your local network. I recommend setting up SSH v2. It doesn’t hurt even inside your local network. Further down I have directions to walk you through setting up SSH.
NOTE:When using the NM-16 or the NM-32 your port/line numbers will need to be determined. This next step will allow you to verify and figure out your port/line numbers.
Router>enable
Termserver#show line
You should see something like this:
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 0 CTY - - - - - 8 0 0/0 -
1 1 AUX 9600/9600 - - - - - 0 0 0/0 -
* 1/0 66 TTY 9600/9600 - - - - - 3 39 438/1318 -
* 1/1 67 TTY 9600/9600 - - - - - 2 53 441/1328 -
< ------------ THIS SECTION DELETED TO SAVE SPACE ------------- >
1/15 81 TTY 9600/9600 - - - - - 0 0 0/0 -
* 514 514 VTY - - - - - 10 0 0/0 -
515 515 VTY - - - - - 0 0 0/0 -
< ------------ THIS SECTION DELETED TO SAVE SPACE ------------- >
529 529 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
2-65, 82-513
Termserver#
IMPORTANT:Make note of the Line numbers for all of the Async connections. On here they are 1/0 thru 1/15. Starting with Line Number 66 and ending in 81. These are your line numbers. If you have the NM-32 you should see 1/0 thru 1/31. Take these port numbers and add 2000 to them. E.g. 66 becomes 2066, 67 becomes 2067. These are the port numbers. E.g. 2066, 2067, 2068; and if you are using the labeled Otco cables the cable plugged into physical port Async 0-7 then cable 1 is 2066 and cable 8 is 2073; after that the next cable plugged into port Async 8-15 the cable 1 becomes 2074 and cable 8 becomes 2081.
We can test a connection now.
Termserver#telnet 192.168.10.10 2066
Trying 192.168.10.10, 2066 ... Open
<press enter>
SW1>
This is what you should be see now. You are accessing the device via reverse telnet over the Cisco Console port of another Cisco device.
Troubleshooting:If you get a message like the following here is how to correct it.
[ERROR BEGIN]
Termserver#telnet 192.168.10.10 2066
Trying 192.168.10.10, 2066 ...
% Connection refused by remote host
[ERROR END]
[FIX BEGIN]
Termserver#clear line 66
[confirm]<press enter>
[OK]
Termserver# telnet 192.168.10.10 2066
Trying 192.168.10.10, 2066 ... Open
<press enter>
SW1>
[FIX END]
To return to the Terminal Server PRESS “Ctrl+Shift+6” then let go, then press “x”. This should return you to the Terminal Server.
Technically the Terminal Server is still connected. You can view connection by using the following command.
Termserver#show sessions
Conn Host Address Byte Idle Conn Name
1 192.168.10.10 192.168.10.10 0 12 192.168.10.10
2 192.168.10.10 192.168.10.10 0 9
* 3 192.168.10.10 192.168.10.10 0 0
To disconnect from any of the sessions use the following command.
Termserver#disconnect 1
Closing connection to 192.168.10.10 [confirm]<press enter>
Simplifying Connections using an IP Host Table
Now that you have the hang of it why not simplify your life by creating abbreviated names and let the router handle all the long connection names, ip addresses and port numbers for you. This is done using the IP Host Table. Super simple to setup too.
Termserver>enable
Termserver#configure terminal
Termserver(config)#ip host r1 2066 192.168.10.10
Termserver(config)#ip host r2 2067 192.168.10.10
< ---- THIS SECTION DELETED TO SAVE SPACE ---- >
Termserver(config)#ip host r15 2080 192.168.10.10
Termserver(config)#ip host r16 2081 192.168.10.10
Termserver(config)#^Z
Termserver#copy running-config startup-config
Building configuration…
[OK]
Termserver#r1
Trying r1 (192.168.10.10, 2066)... Open
<press enter>
R1>
NOTE IMPORTANT:Once you have an active session going back to that session requires that you use the Conn “Connection” number not name to switch between sessions. If you try to try to use the host names after you have an active session you will get the “Connection refused” error. Instead of disconnecting and clearing the line you can simply type in the Conn “Connection” number not name then press <enter> and it will take you back to the active session. Example below.
Termserver#show sessions
Conn Host Address Byte Idle Conn Name
* 1 r1 192.168.10.10 0 0 r1
Termserver#1
[Resuming connection 1 to sw1 ... ]
SW1>
You must be at Termserver# to do this. Switching back to it you just use the Ctrl+Shift+6 then let go and then press x. And remember if you even can’t reconnect use the disconnect to get rid of the session and the clear line to reset the lines.
Setting up SSH v1 or SSH v2
Termserver>enable
Termserver#configure terminal
Termserver(config)#ip domain-name CiscoLab.com
Termserver(config)#crypto key generate rsa
The name for the keys will be: Termserver.CiscoLab.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 4 seconds)
Termserver(config)#line vty 0 15
Termserver(config-line)#login local
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#username YourUsername privilege 15 password YourSecretPassword
Termserver(config)#^Z
Termserver#copy running-config startup-config
NOTE:Currently SSH will work, Telnet will no longer work over the network. However now it is in a mode where is supports both SSH v1 and SSH v2. You can run the command Termserver#show ssh to see what version is active. It should show as “‘protoversion’ 1.99”. 1.99 is not a version of SSH this is just what is displayed while both are active. I recommend you disable SSH v1 for extra security.
Disable SSH v1
Termserver>enable
Termserver#configure terminal
Termserver(config)#ip ssh version 2
Termserver(config)#exit
Termserver#copy running-config startup-config
NOTE:Run the command Termserver#show ssh and you should now see the following.
Termserver#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started YourUsername
0 2.0 OUT aes256-cbc hmac-sha1 Session started YourUsername
%No SSHv1 server connections running.
END
I hope this helps you. If there are any ERRORS in this write up please reply with corrections so I can edit this. I do not want to put faulty information out there or syntax errors. Cisco doesn’t have specific instructions for do this with the 2800 series using the NM-16 and NM-32 interfaces as they recommend using interfaces like the HWIC-16A which is currently more expensive.
References: Much of this comes from ciscopress.com "Gaining Access to Routers and Switches". Also other pieces were picked up from other discussions in this forum. I would like to shout out to those whom I found the information from however it has been so long ago I don't remember who they were. If you see something you may have contributed here I thank you and others thank you as well. The rest is what I came up with.
EDIT:
Cool Alternative Suggestion ADD by DAVE in the Cisco Forums (See his replies below)
Dave (whom posted a reply to this post originally) suggested using ip alias with rotary SSH Terminal-Line Access to give direct SSH connections to the consoles. Eliminating the need to switch between them internally using reverse telnet. I’m adding the example below for those who would prefer to SSH directly to each router/switches console port using multiple ip addresses.
Termserver#conf t
Termserver(config)#ip alias 192.xxx.xxx.021 2001
Termserver(config)#ip alias 192.xxx.xxx.022 2002
Termserver(config)#line 1/0
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 1
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#line 1/1
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 2
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#ip ssh port 2001 rotary 1 2
Termserver(config)#exit
NOTE: Form more IP aliases simply add more aliases increasing the port number incrementally then increase your rotary number for each line incrementally then change the last commands rotary range (e.g. for 5 IP aliases and rotarys the last command ip ssh port 2001 rotary 1 2 changes to ip ssh port 2001 rotary 1 5 )
EDIT 2:
NOTE: If you attempt to port forward allowing access to the terminal server over a different subnet I found that the settings of default-gateway or default-network did not help. I had to create a static route to my gateway. SSH connections on the local LAN worked but over a public or different subnet it would not respond to connection attempts. the following is the static route I setup that remedied this. If anyone has a better or more clever way to handle this I'd love to hear it. Enjoy!
(192.167.xxx.1 is the gateway on the network)
Termserver#conf t
Termserver(config)#ip route 0.0.0.0 0.0.0.0 192.168.xxx.1
You can check your current route info as well as verify your changes took effect using the following.
Termserver#show ip route
Hope this helps!
Solved! Go to Solution.
10-12-2018 02:42 AM
Hi,
Your config looks correct. You should try to SSH to the original IP:port first. That should give you a clue where the issue is. Ensure that the line is not in use when you try. I tend to set the timeout to about 5 minutes so that the line automatically clears when you leave. Obviously, you will be asked to login twice. Once to the terminal server and once on the console port itself.
Obviously, you also need to be able to route all the way to the alias address. I usually have term servers with 96 ports, so I create a loopback interface on the router with the relevant /25 IP address block and advertise that into the local IGP. This draws all the relevant traffic to the router and means that you can have a resilient path to get to it.
Hope this helps,
Dave
10-11-2018 04:58 AM
Hi,
Just a couple of thoughts for you:
If you use the ip alias command, you can redirect an IP to a port on the router. This means that you can actually have an IP Address set aside for each console line so that you don't have to telnet to a non-standard port. This also means that you can add that address into your DNS infrastructure so that you don't have to remember which console port is connected to which terminal server.
If you want to set this up to allow SSH direct to the console line, you will need to use a rotary group as shown here:
I usually combine both of these.
Hope this helps.
Dave
10-11-2018 08:30 AM - edited 10-11-2018 08:32 AM
Hi Dave,
I really like this idea of yours. I'm a bit hung up on making it work properly.
I'm following the example on the link you shared however, I can only get connected to the first switch. I cannot connect to the second switch. I get connection refused on the second switch using Putty.
Here is my example.
Termserver#conf t
Termserver(config)#ip alias 192.xxx.xxx.021 2001
Termserver(config)#ip alias 192.xxx.xxx.022 2002
Termserver(config)#line 1/0
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 1
Termserver(config-line)#transport input ssh
Termserver(config)#line 1/1
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 2
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#ip ssh port 2001 rotary 1 2
Termserver(config)#exit
Thanks
10-12-2018 02:42 AM
Hi,
Your config looks correct. You should try to SSH to the original IP:port first. That should give you a clue where the issue is. Ensure that the line is not in use when you try. I tend to set the timeout to about 5 minutes so that the line automatically clears when you leave. Obviously, you will be asked to login twice. Once to the terminal server and once on the console port itself.
Obviously, you also need to be able to route all the way to the alias address. I usually have term servers with 96 ports, so I create a loopback interface on the router with the relevant /25 IP address block and advertise that into the local IGP. This draws all the relevant traffic to the router and means that you can have a resilient path to get to it.
Hope this helps,
Dave
10-12-2018 12:55 PM
10-15-2018 03:35 AM
The Line timeout.
Hope this helps
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide