I have many routers set up as VPN's. Sometimes I have to access the routers using their public IP via telnet, is this sent in clear text? If so do you recommend ssh? If so how can I set this up on a Cisco 877 or 1841?
Telnet data is sent in clear text. It's certainly a good idea to use SSH to access network devices especially when going through a public network like Internet. As you are probably aware SSH would encrypt all data between the client/server and even if someone gets a hand on the data it's of no use.
Have a look at this link for SSH configuration.
Is SSH the next best thing to telnet?
This are routers in VPN mode I normally use telnet with the routers internal IP over the VPN, so I take it this is fine as it's encrypted over the VPN?
Also the telnet I do to the public IP I have a rule to only accept from my out side source address.
From a security perspective SSH is much better than telnet. If you are telnetting through the VPN to a router inside address it does not matter much since the traffic will be encrypted. But telnetting to the public address does create some exposure. It is good that you have a rule to only accept telnet from your source address. But there is still exposure. Someone could observe the traffic and could learn your user ID and password. What could they do if they knew your address, your user ID, and your password?
While that is not a high degree of risk it is still some risk and why take any risk when a better solution is available? Since the routers are running VPN they already have the crypto image and therefore will support SSH. Basically as long as they have a host name and a domain name configured all you need to do is to generate RSA keys and then SSH is ready to go. It would certainly be a best practice to use SSH - especially for access to outside interfaces of these routers.
I see what you are saying. A few things, what would my domain be, my windows domain? Would I add ssh the remove the telnet settings, sorry this a area I'm not sure about. Do you have an example Rick? Many thanks in advance.
The domain for the router is generally the domain name used in DNS. I assume that there is some DNS domain name for CBS Outdoor Ltd and that is what I would use for the router.
Telnet and SSH can coexist. If you want to continue to use telnet to inside addresses (through the VPN) and SSH to outside addresses you do not need to remove anything. If you decide that you want to change your policy and only use SSH for remote access to the routers then you could configure under the vty lines:
transport input ssh
and this would allow SSH and not allow telnet.
Thanks for your info, so I just need to add the domain as I have a hostname and password then generate a key? Why does it need a domain name?
Is this below all I need to add, keeping my telnet option too?
username cisco password 0 cisco
ip domain-name rtp.cisco.com
cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input SSH
I do not know the authoritative answer about why it requires a domain name. My assumption is that they want a domain name because they want a complete and unique identification of the device. What I do know (from hard experience) is that without a domain name configured the key will not generate.
If you want to keep your telnet option then the config needs to have this:
transport input ssh telnet
if you only list ssh as the transport then it is the only one allowed. By listing both ssh and telnet then both are allowed.
Thanks Rick, that example of the config above, is that all I need to add? Obviously just changing it to suit my current details?
Is suppose you could have any domain name if its to generate a key, just don't like the sound our putting my domain on an internet facing device.