Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17693
Views
0
Helpful
6
Replies

SSH tunneling through a Router

Patrick.Beaven
Level 1
Level 1

‎01-31-2008 06:37 AM - edited ‎03-09-2019 08:01 PM

Does anyone know if you can setup ssh to allow tunneling through a router. Does the ssh app within IOS allow port forwarding itself? Similar to a bsd or Linux OS? Or is this a security feature (by not allowing port forwarding)

I want to make sure that this cannot happen on any of my edge routers! I'm running a K9 image and use ssh for admin and want to make sure that it cannot be configured to forward ssh ports inside the network.

Thanks,

1 person had this problem
Labels:
0 Helpful
6 Replies 6

cisco24x7
Level 6
Level 6

‎01-31-2008 08:11 AM

You can NOT use the router as an ssh terminating

endpoint to jump to another box. I know exactly

what you are trying to do. Can not be done by

IOS itself.

What you can do is this:

Linux---IOS_router----Internet------hostx

on IOS router do this:

ip nat inside source static tcp 22 192.168.1.2 interface f0/0 22

ip nat inside source static tcp 3389 192.168.1.3 interface f0/0 3389

Now from hostx, you can ssh to the Linux box,

TS to 192.168.1.3 via the router IOS external

interface ip itself.

In summary, IOS ssh does not have the sshd_config where you can customize the

forwarding part. It can not even let you

configure to accept on AES256-cbc with sha-1.

CCIE Security

0 Helpful

Patrick.Beaven
Level 1
Level 1
In response to cisco24x7

‎01-31-2008 08:22 AM

Thanks, That is exactly what i wanted to hear. I didnt want to have to disable ssh access to my routers because of possible forwarding through the routers.

0 Helpful

james_stickland
Level 1
Level 1
In response to Patrick.Beaven

‎02-07-2008 12:03 PM

I tried doing this with an ssh client, and it did not work this way. port forwarding was disabled, and i do not know how to enable it.

0 Helpful

cisco24x7
Level 6
Level 6
In response to james_stickland

‎02-10-2008 02:51 PM

what does not work? Can you elaborate?

CCIE Security

0 Helpful

Patrick.Beaven
Level 1
Level 1
In response to cisco24x7

‎02-11-2008 08:52 AM

I wanted to make sure that no one could use a cisco router via ssh tunnels on the router to create a secure tunnel through the router. I have found that you can't so that fixes my security issue. The only why someone would be able too is by modifying the configuration and i would get alarms from my monitoring and MARS system that someone changed the configuration.

Thanks,

0 Helpful

cisco24x7
Level 6
Level 6
In response to Patrick.Beaven

‎02-12-2008 09:41 AM

1- Enable AAA on the router,

2- Enable AAA accounting on the router,

3- monitor the AAA server, tail -f /var/log/tac_plus.log file,

4- have some script to monitor if configuration

has been changed. If it does, send you an

email.

simple right?

CCIE Security

0 Helpful
Customers Also Viewed These Support Documents