cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14260
Views
15
Helpful
5
Replies

Configuring a Cisco 2811 2800 Series Router as a Terminal Server using a NM-16 or NM-32

gjames50
Level 1
Level 1

How to configure a Cisco 2811 2800 Series Router using a NM-16A or NM-32A Async Module as a Terminal Server

Please let me know if there is anything I need to correct. I'm posting this to help others and to grow my own skills. The examples below are using the NM-16A and a 2811 Router you may need to make adjustments for your particular hardware.

 

Router>enable
Router#configure terminal
Router(config)#hostname Termserver
Termserver(config)#interface FastEthernet 0/0
Termserver(config-if)#ip address 192.168.111.31 255.255.255.0
Termserver(config-if)#no shutdown
Termserver(config-if)#exit
Termserver(config)#line vty 0 15
Termserver(config-line)#password YourTelnetPassword
Termserver(config-line)#logging synchronous
Termserver(config-line)#login
Termserver(config-line)#exec-timeout 15 0
Termserver(config-line)#exit
Termserver(config)#interface loopback 0
Termserver(config-if)#ip address 192.168.10.10 255.255.255.0
Termserver(config-if)#exit
Termserver(config)#line 1/0 1/15
Termserver(config-if)#transport input telnet
Termserver(config-if)#exit
Termserver(config)#interface Group-Async 0
Termserver(config-if)#no ip add
Termserver(config-if)#encapsulation slip
Termserver(config-if)#group-range 1/0 1/15
Termserver(config-if)#exit
Termserver(config)#enable secret YourSecretPassword
Termserver(config)#service password-encryption
Termserver(config)#^Z
Termserver#copy running-config startup-config

WARNING:
This is not the most secure connection. Do not use telnet outside of your local network. I recommend setting up SSH v2. It doesn’t hurt even inside your local network. Further down I have directions to walk you through setting up SSH.

NOTE:When using the NM-16 or the NM-32 your port/line numbers will need to be determined. This next step will allow you to verify and figure out your port/line numbers.

Router>enable
Termserver#show line

You should see something like this:

   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int

      0    0 CTY              -    -      -    -    -     8      0    0/0      -

      1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -

*   1/0   66 TTY   9600/9600  -    -      -    -    -     3     39  438/1318   -

*   1/1   67 TTY   9600/9600  -    -      -    -    -     2     53  441/1328   -

        < ------------ THIS SECTION DELETED TO SAVE SPACE ------------- >
   1/15   81 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -

*   514  514 VTY              -    -      -    -    -    10      0    0/0      -

    515  515 VTY              -    -      -    -    -     0      0    0/0      -
        < ------------ THIS SECTION DELETED TO SAVE SPACE ------------- >

    529  529 VTY              -    -      -    -    -     0      0    0/0      -

 

Line(s) not in async mode -or- with no hardware support:

2-65, 82-513


Termserver#

 

IMPORTANT:Make note of the Line numbers for all of the Async connections. On here they are 1/0 thru 1/15. Starting with Line Number 66 and ending in 81. These are your line numbers. If you have the NM-32 you should see 1/0 thru 1/31. Take these port numbers and add 2000 to them. E.g. 66 becomes 2066, 67 becomes 2067. These are the port numbers. E.g. 2066, 2067, 2068; and if you are using the labeled Otco cables the cable plugged into physical port Async 0-7 then cable 1 is 2066 and cable 8 is 2073; after that the next cable plugged into port Async 8-15 the cable 1 becomes 2074 and cable 8 becomes 2081.

We can test a connection now.

Termserver#telnet 192.168.10.10 2066
Trying 192.168.10.10, 2066 ... Open
<press enter>
SW1>

This is what you should be see now. You are accessing the device via reverse telnet over the Cisco Console port of another Cisco device.

Troubleshooting:If you get a message like the following here is how to correct it.

[ERROR BEGIN]
Termserver#telnet 192.168.10.10 2066
Trying 192.168.10.10, 2066 ...
% Connection refused by remote host
[ERROR END]

[FIX BEGIN]
Termserver#clear line 66
[confirm]<press enter>
 [OK]

Termserver# telnet 192.168.10.10 2066
Trying 192.168.10.10, 2066 ... Open
<press enter>
SW1>
[FIX END]

To return to the Terminal Server PRESS “Ctrl+Shift+6” then let go, then press “x”. This should return you to the Terminal Server.

Technically the Terminal Server is still connected. You can view connection by using the following command.

Termserver#show sessions
Conn Host                Address             Byte  Idle Conn Name
   1 192.168.10.10       192.168.10.10          0    12 192.168.10.10
   2 192.168.10.10       192.168.10.10          0     9
*  3 192.168.10.10       192.168.10.10          0     0

To disconnect from any of the sessions use the following command.

Termserver#disconnect 1
Closing connection to 192.168.10.10 [confirm]<press enter>

 

Simplifying Connections using an IP Host Table

Now that you have the hang of it why not simplify your life by creating abbreviated names and let the router handle all the long connection names, ip addresses and port numbers for you. This is done using the IP Host Table. Super simple to setup too.

Termserver>enable
Termserver#configure terminal
Termserver(config)#ip host r1 2066 192.168.10.10
Termserver(config)#ip host r2 2067 192.168.10.10
< ---- THIS SECTION DELETED TO SAVE SPACE ---- >
Termserver(config)#ip host r15 2080 192.168.10.10
Termserver(config)#ip host r16 2081 192.168.10.10
Termserver(config)#^Z
Termserver#copy running-config startup-config
Building configuration…
 [OK]
Termserver#r1

Trying r1 (192.168.10.10, 2066)... Open
<press enter>
R1>

NOTE IMPORTANT:Once you have an active session going back to that session requires that you use the Conn “Connection” number not name to switch between sessions. If you try to try to use the host names after you have an active session you will get the “Connection refused” error. Instead of disconnecting and clearing the line you can simply type in the Conn “Connection” number not name then press <enter> and it will take you back to the active session. Example below.

Termserver#show sessions
Conn Host                Address             Byte  Idle Conn Name
*  1 r1                 192.168.10.10          0     0   r1

Termserver#1
[Resuming connection 1 to sw1 ... ]

SW1>

You must be at Termserver# to do this. Switching back to it you just use the Ctrl+Shift+6 then let go and then press x. And remember if you even can’t reconnect use the disconnect to get rid of the session and the clear line to reset the lines.

 

Setting up SSH v1 or SSH v2

Termserver>enable
Termserver#configure terminal
Termserver(config)#ip domain-name CiscoLab.com
Termserver(config)#crypto key generate rsa
The name for the keys will be: Termserver.CiscoLab.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 4 seconds)
Termserver(config)#line vty 0 15
Termserver(config-line)#login local
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#username YourUsername privilege 15 password YourSecretPassword
Termserver(config)#^Z
Termserver#copy running-config startup-config

NOTE:Currently SSH will work, Telnet will no longer work over the network. However now it is in a mode where is supports both SSH v1 and SSH v2. You can run the command Termserver#show ssh to see what version is active. It should show as “‘protoversion’ 1.99”. 1.99 is not a version of SSH this is just what is displayed while both are active. I recommend you disable SSH v1 for extra security.

 

Disable SSH v1

Termserver>enable
Termserver#configure terminal
Termserver(config)#ip ssh version 2
Termserver(config)#exit
Termserver#copy running-config startup-config

NOTE:Run the command Termserver#show ssh and you should now see the following.

Termserver#show ssh
Connection Version Mode Encryption      Hmac            State                      Username
0                    2.0     IN      aes256-cbc  hmac-sha1    Session started       YourUsername
0                    2.0     OUT  aes256-cbc  hmac-sha1    Session started       YourUsername
%No SSHv1 server connections running.

 
END

I hope this helps you. If there are any ERRORS in this write up please reply with corrections so I can edit this. I do not want to put faulty information out there or syntax errors. Cisco doesn’t have specific instructions for do this with the 2800 series using the NM-16 and NM-32 interfaces as they recommend using interfaces like the HWIC-16A which is currently more expensive.


References: Much of this comes from ciscopress.com "Gaining Access to Routers and Switches". Also other pieces were picked up from other discussions in this forum. I would like to shout out to those whom I found the information from however it has been so long ago I don't remember who they were. If you see something you may have contributed here I thank you and others thank you as well. The rest is what I came up with.

 

EDIT:

Cool Alternative Suggestion ADD by DAVE in the Cisco Forums (See his replies below)

 

Dave (whom posted a reply to this post originally) suggested using ip alias with rotary SSH Terminal-Line Access to give direct SSH connections to the consoles. Eliminating the need to switch between them internally using reverse telnet. I’m adding the example below for those who would prefer to SSH directly to each router/switches console port using multiple ip addresses. 

 

Termserver#conf t
Termserver(config)#ip alias 192.xxx.xxx.021 2001
Termserver(config)#ip alias 192.xxx.xxx.022 2002
Termserver(config)#line 1/0
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 1
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#line 1/1
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 2
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#ip ssh port 2001 rotary 1 2
Termserver(config)#exit

 

NOTE: Form more IP aliases simply add more aliases increasing the port number incrementally then increase your rotary number for each line incrementally then change the last commands rotary range (e.g. for 5 IP aliases and rotarys the last command ip ssh port 2001 rotary 1 2 changes to ip ssh port 2001 rotary 1 5  )

 

EDIT 2:

NOTE: If you attempt to port forward allowing access to the terminal server over a different subnet I found that the settings of default-gateway or default-network did not help. I had to create a static route to my gateway. SSH connections on the local LAN worked but over a public or different subnet it would not respond to connection attempts. the following is the static route I setup that remedied this. If anyone has a better or more clever way to handle this I'd love to hear it. Enjoy!

 

(192.167.xxx.1 is the gateway on the network)

Termserver#conf t

Termserver(config)#ip route 0.0.0.0 0.0.0.0 192.168.xxx.1

 

You can check your current route info as well as verify your changes took effect using the following.

Termserver#show ip route

 

Hope this helps!

1 Accepted Solution

Accepted Solutions

Hi,

 

Your config looks correct. You should try to SSH to the original IP:port first. That should give you a clue where the issue is. Ensure that the line is not in use when you try. I tend to set the timeout to about 5 minutes so that the line automatically clears when you leave. Obviously, you will be asked to login twice. Once to the terminal server and once on the console port itself.

 

Obviously, you also need to be able to route all the way to the alias address. I usually have term servers with 96 ports, so I create a loopback interface on the router with the relevant /25 IP address block and advertise that into the local IGP. This draws all the relevant traffic to the router and means that you can have a resilient path to get to it.

 

Hope this helps,

 

Dave

 

View solution in original post

5 Replies 5

dbeattie
Level 1
Level 1

Hi,

 

Just a couple of thoughts for you:

 

If you use the ip alias command, you can redirect an IP to a port on the router. This means that you can actually have an IP Address set aside for each console line so that you don't have to telnet to a non-standard port. This also means that you can add that address into your DNS infrastructure so that you don't have to remember which console port is connected to which terminal server.

 

If you want to set this up to allow SSH direct to the console line, you will need to use a rotary group as shown here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-ssh-term-line.html#GUID-60818227-5000-40A3-92CD-6668D820743F

 

I usually combine both of these.

 

Hope this helps.

 

Dave

Hi Dave,

@dbeattie

 

I really like this idea of yours. I'm a bit hung up on making it work properly.

 

I'm following the example on the link you shared however, I can only get connected to the first switch. I cannot connect to the second switch. I get connection refused on the second switch using Putty.

 

Here is my example.

 

Termserver#conf t
Termserver(config)#ip alias 192.xxx.xxx.021 2001
Termserver(config)#ip alias 192.xxx.xxx.022 2002
Termserver(config)#line 1/0
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 1
Termserver(config-line)#transport input ssh
Termserver(config)#line 1/1
Termserver(config-line)#no exec
Termserver(config-line)#login local
Termserver(config-line)#rotary 2
Termserver(config-line)#transport input ssh
Termserver(config-line)#exit
Termserver(config)#ip ssh port 2001 rotary 1 2
Termserver(config)#exit

 

Thanks

Hi,

 

Your config looks correct. You should try to SSH to the original IP:port first. That should give you a clue where the issue is. Ensure that the line is not in use when you try. I tend to set the timeout to about 5 minutes so that the line automatically clears when you leave. Obviously, you will be asked to login twice. Once to the terminal server and once on the console port itself.

 

Obviously, you also need to be able to route all the way to the alias address. I usually have term servers with 96 ports, so I create a loopback interface on the router with the relevant /25 IP address block and advertise that into the local IGP. This draws all the relevant traffic to the router and means that you can have a resilient path to get to it.

 

Hope this helps,

 

Dave

 

HI Dave,

I simply tried entering the configuration again from scratch and this time it is working!

Thank you for verifying it was correct. I would have chased my tail on that one.

When you mention you tend to set the timeout to 5 minutes are you referring to the vty timeout or the line timeout?

Thank you again.

The Line timeout.

 

Hope this helps

 

Dave

Review Cisco Networking for a $25 gift card