SSH tunneling through a Router

Unanswered Question
Jan 31st, 2008
User Badges:

Does anyone know if you can setup ssh to allow tunneling through a router. Does the ssh app within IOS allow port forwarding itself? Similar to a bsd or Linux OS? Or is this a security feature (by not allowing port forwarding)

I want to make sure that this cannot happen on any of my edge routers! I'm running a K9 image and use ssh for admin and want to make sure that it cannot be configured to forward ssh ports inside the network.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Thu, 01/31/2008 - 08:11
User Badges:
  • Silver, 250 points or more

You can NOT use the router as an ssh terminating

endpoint to jump to another box. I know exactly

what you are trying to do. Can not be done by

IOS itself.

What you can do is this:


on IOS router do this:

ip nat inside source static tcp 22 interface f0/0 22

ip nat inside source static tcp 3389 interface f0/0 3389

Now from hostx, you can ssh to the Linux box,

TS to via the router IOS external

interface ip itself.

In summary, IOS ssh does not have the sshd_config where you can customize the

forwarding part. It can not even let you

configure to accept on AES256-cbc with sha-1.

CCIE Security

Patrick.Beaven Thu, 01/31/2008 - 08:22
User Badges:

Thanks, That is exactly what i wanted to hear. I didnt want to have to disable ssh access to my routers because of possible forwarding through the routers.

james_stickland Thu, 02/07/2008 - 12:03
User Badges:

I tried doing this with an ssh client, and it did not work this way. port forwarding was disabled, and i do not know how to enable it.

cisco24x7 Sun, 02/10/2008 - 14:51
User Badges:
  • Silver, 250 points or more

what does not work? Can you elaborate?

CCIE Security

Patrick.Beaven Mon, 02/11/2008 - 08:52
User Badges:

I wanted to make sure that no one could use a cisco router via ssh tunnels on the router to create a secure tunnel through the router. I have found that you can't so that fixes my security issue. The only why someone would be able too is by modifying the configuration and i would get alarms from my monitoring and MARS system that someone changed the configuration.


cisco24x7 Tue, 02/12/2008 - 09:41
User Badges:
  • Silver, 250 points or more

1- Enable AAA on the router,

2- Enable AAA accounting on the router,

3- monitor the AAA server, tail -f /var/log/tac_plus.log file,

4- have some script to monitor if configuration

has been changed. If it does, send you an


simple right?

CCIE Security


This Discussion