SSH tunneling through a Router

Unanswered Question
Jan 31st, 2008

Does anyone know if you can setup ssh to allow tunneling through a router. Does the ssh app within IOS allow port forwarding itself? Similar to a bsd or Linux OS? Or is this a security feature (by not allowing port forwarding)

I want to make sure that this cannot happen on any of my edge routers! I'm running a K9 image and use ssh for admin and want to make sure that it cannot be configured to forward ssh ports inside the network.

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Thu, 01/31/2008 - 08:11

You can NOT use the router as an ssh terminating

endpoint to jump to another box. I know exactly

what you are trying to do. Can not be done by

IOS itself.

What you can do is this:

Linux---IOS_router----Internet------hostx

on IOS router do this:

ip nat inside source static tcp 22 192.168.1.2 interface f0/0 22

ip nat inside source static tcp 3389 192.168.1.3 interface f0/0 3389

Now from hostx, you can ssh to the Linux box,

TS to 192.168.1.3 via the router IOS external

interface ip itself.

In summary, IOS ssh does not have the sshd_config where you can customize the

forwarding part. It can not even let you

configure to accept on AES256-cbc with sha-1.

CCIE Security

Patrick.Beaven Thu, 01/31/2008 - 08:22

Thanks, That is exactly what i wanted to hear. I didnt want to have to disable ssh access to my routers because of possible forwarding through the routers.

james_stickland Thu, 02/07/2008 - 12:03

I tried doing this with an ssh client, and it did not work this way. port forwarding was disabled, and i do not know how to enable it.

Patrick.Beaven Mon, 02/11/2008 - 08:52

I wanted to make sure that no one could use a cisco router via ssh tunnels on the router to create a secure tunnel through the router. I have found that you can't so that fixes my security issue. The only why someone would be able too is by modifying the configuration and i would get alarms from my monitoring and MARS system that someone changed the configuration.

Thanks,

cisco24x7 Tue, 02/12/2008 - 09:41

1- Enable AAA on the router,

2- Enable AAA accounting on the router,

3- monitor the AAA server, tail -f /var/log/tac_plus.log file,

4- have some script to monitor if configuration

has been changed. If it does, send you an

email.

simple right?

CCIE Security

Actions

This Discussion