Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2723
Views
0
Helpful
2
Replies

Using a VPN for Out of Band management

Go to solution
mvknl
Level 1
Level 1

‎01-15-2013 01:23 AM - edited ‎03-04-2019 06:42 PM

Hi Guys,

For a customer of mine I've designed an Out of Band management solution. This solution is based on a Cisco 2901 with a Hwic-16A module and a DSL module. The device will be hardened and access will be restricted via AAA and ACL's. Furthermore logging will be sent to RSA envision. Because this is an Out of Band management solution it will be placed outside the firewall.

The customer isn't satisfied with the security of this solution, so they want to restrict access to the device using at least two factor authentication. A VPN might do the trick. Now I need to know whether it is possible to implement this in a single device. I believe it should be possible, but I have no prior experience with this setup. So I'm asking your expertise in this:

- Can I use the 2901 to terminate the VPN and if so which IOS would I need?

- Can the users log in to the 2901 to do a reverse telnet to the console of different devices?

- Do we need any other devices for the two factor authentication part?

Especially the last question is important. I do not want to create an external dependency as this increases the chance of the Out of Band solution being unavailable when needed the most. I would expect an SSL VPN with Tacacs and local users to be a possible solution.

Could you guys please advice me in this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-15-2013 01:43 AM

For VPN you need the SECURITY-license on the router:

rtr#sh ver | i security

security      securityk9    Permanent      securityk9

rtr#

With that you can build a vpn to the router and initiate the reverse telnet to your devices. The only internal two-factor-authentication is using client-certificates and a password for authenticationg the VPN. For that you can setup an EasyVPN-server on the router and you need a CA which could also be the router. For even more security, using the AnyConnect-Client with FlexVPN should also work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎01-15-2013 01:43 AM

For VPN you need the SECURITY-license on the router:

rtr#sh ver | i security

security      securityk9    Permanent      securityk9

rtr#

With that you can build a vpn to the router and initiate the reverse telnet to your devices. The only internal two-factor-authentication is using client-certificates and a password for authenticationg the VPN. For that you can setup an EasyVPN-server on the router and you need a CA which could also be the router. For even more security, using the AnyConnect-Client with FlexVPN should also work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
mvknl
Level 1
Level 1
In response to Karsten Iwen

‎01-16-2013 07:59 AM

Hi Karsten,

Thanks for your reply. I'll look into that solution.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card