SSH tunneling through a Router

Unanswered Question
Jan 31st, 2008
User Badges:

Does anyone know if you can setup ssh to allow tunneling through a router. Does the ssh app within IOS allow port forwarding itself? Similar to a bsd or Linux OS? Or is this a security feature (by not allowing port forwarding)

I want to make sure that this cannot happen on any of my edge routers! I'm running a K9 image and use ssh for admin and want to make sure that it cannot be configured to forward ssh ports inside the network.

Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Thu, 01/31/2008 - 08:11
User Badges:
  • Silver, 250 points or more

You can NOT use the router as an ssh terminating

endpoint to jump to another box. I know exactly

what you are trying to do. Can not be done by

IOS itself.


What you can do is this:


Linux---IOS_router----Internet------hostx


on IOS router do this:


ip nat inside source static tcp 22 192.168.1.2 interface f0/0 22

ip nat inside source static tcp 3389 192.168.1.3 interface f0/0 3389


Now from hostx, you can ssh to the Linux box,

TS to 192.168.1.3 via the router IOS external

interface ip itself.


In summary, IOS ssh does not have the sshd_config where you can customize the

forwarding part. It can not even let you

configure to accept on AES256-cbc with sha-1.


CCIE Security

Patrick.Beaven Thu, 01/31/2008 - 08:22
User Badges:

Thanks, That is exactly what i wanted to hear. I didnt want to have to disable ssh access to my routers because of possible forwarding through the routers.

james_stickland Thu, 02/07/2008 - 12:03
User Badges:

I tried doing this with an ssh client, and it did not work this way. port forwarding was disabled, and i do not know how to enable it.


cisco24x7 Sun, 02/10/2008 - 14:51
User Badges:
  • Silver, 250 points or more

what does not work? Can you elaborate?


CCIE Security

Patrick.Beaven Mon, 02/11/2008 - 08:52
User Badges:

I wanted to make sure that no one could use a cisco router via ssh tunnels on the router to create a secure tunnel through the router. I have found that you can't so that fixes my security issue. The only why someone would be able too is by modifying the configuration and i would get alarms from my monitoring and MARS system that someone changed the configuration.

Thanks,

cisco24x7 Tue, 02/12/2008 - 09:41
User Badges:
  • Silver, 250 points or more

1- Enable AAA on the router,

2- Enable AAA accounting on the router,

3- monitor the AAA server, tail -f /var/log/tac_plus.log file,

4- have some script to monitor if configuration

has been changed. If it does, send you an

email.


simple right?


CCIE Security

Actions

This Discussion