Showing results for 
Search instead for 
Did you mean: 

SSH tunneling through a Router

Level 1
Level 1

Does anyone know if you can setup ssh to allow tunneling through a router. Does the ssh app within IOS allow port forwarding itself? Similar to a bsd or Linux OS? Or is this a security feature (by not allowing port forwarding)

I want to make sure that this cannot happen on any of my edge routers! I'm running a K9 image and use ssh for admin and want to make sure that it cannot be configured to forward ssh ports inside the network.


6 Replies 6

Level 6
Level 6

You can NOT use the router as an ssh terminating

endpoint to jump to another box. I know exactly

what you are trying to do. Can not be done by

IOS itself.

What you can do is this:


on IOS router do this:

ip nat inside source static tcp 22 interface f0/0 22

ip nat inside source static tcp 3389 interface f0/0 3389

Now from hostx, you can ssh to the Linux box,

TS to via the router IOS external

interface ip itself.

In summary, IOS ssh does not have the sshd_config where you can customize the

forwarding part. It can not even let you

configure to accept on AES256-cbc with sha-1.

CCIE Security

Thanks, That is exactly what i wanted to hear. I didnt want to have to disable ssh access to my routers because of possible forwarding through the routers.

I tried doing this with an ssh client, and it did not work this way. port forwarding was disabled, and i do not know how to enable it.

what does not work? Can you elaborate?

CCIE Security

I wanted to make sure that no one could use a cisco router via ssh tunnels on the router to create a secure tunnel through the router. I have found that you can't so that fixes my security issue. The only why someone would be able too is by modifying the configuration and i would get alarms from my monitoring and MARS system that someone changed the configuration.


1- Enable AAA on the router,

2- Enable AAA accounting on the router,

3- monitor the AAA server, tail -f /var/log/tac_plus.log file,

4- have some script to monitor if configuration

has been changed. If it does, send you an


simple right?

CCIE Security