cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1636
Views
0
Helpful
2
Replies
Highlighted
Beginner

Using a VPN for Out of Band management

Hi Guys,

For a customer of mine I've designed an Out of Band management solution. This solution is based on a Cisco 2901 with a Hwic-16A module and a DSL module. The device will be hardened and access will be restricted via AAA and ACL's. Furthermore logging will be sent to RSA envision. Because this is an Out of Band management solution it will be placed outside the firewall.

The customer isn't satisfied with the security of this solution, so they want to restrict access to the device using at least two factor authentication. A VPN might do the trick. Now I need to know whether it is possible to implement this in a single device. I believe it should be possible, but I have no prior experience with this setup. So I'm asking your expertise in this:

- Can I use the 2901 to terminate the VPN and if so which IOS would I need?

- Can the users log in to the 2901 to do a reverse telnet to the console of different devices?

- Do we need any other devices for the two factor authentication part?

Especially the last question is important. I do not want to create an external dependency as this increases the chance of the Out of Band solution being unavailable when needed the most. I would expect an SSL VPN with Tacacs and local users to be a possible solution.

Could you guys please advice me in this?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

For VPN you need the SECURITY-license on the router:

rtr#sh ver | i security

security      securityk9    Permanent      securityk9

rtr#

With that you can build a vpn to the router and initiate the reverse telnet to your devices. The only internal two-factor-authentication is using client-certificates and a password for authenticationg the VPN. For that you can setup an EasyVPN-server on the router and you need a CA which could also be the router. For even more security, using the AnyConnect-Client with FlexVPN should also work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

2 REPLIES 2
Highlighted
VIP Mentor

For VPN you need the SECURITY-license on the router:

rtr#sh ver | i security

security      securityk9    Permanent      securityk9

rtr#

With that you can build a vpn to the router and initiate the reverse telnet to your devices. The only internal two-factor-authentication is using client-certificates and a password for authenticationg the VPN. For that you can setup an EasyVPN-server on the router and you need a CA which could also be the router. For even more security, using the AnyConnect-Client with FlexVPN should also work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Highlighted

Hi Karsten,

Thanks for your reply. I'll look into that solution.