Best Connection Method

Unanswered Question
May 23rd, 2008
User Badges:


I have five customer sites that each run a Cisco 1721. I'd like to be able to remote into each router securely. My initial thought was ssh but then I thought about VPN; when I purchased the boxes I bought them with that in mind.

Anyone have a preference? I'm sure I'll need to update the IOS on these machines too.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
lamav Fri, 05/23/2008 - 08:51
User Badges:
  • Blue, 1500 points or more


There are two scenarios to think of:

1.) If you need to access the routers for management purposes and you are already logged onto the local network, then what would you need VPN for? Just configure the router to support an SSH session and be done with it. This way you get the privacy you need from the encrypted session.

2.) If you're sitting on a remote private network, then you would need VPN to access the local network, but you would still need SSH to access and manage the routers.

So, either way, you need SSH for a secure management session to your router.

Creating VPN tunnels to each of your routers is insane and pointless, if that's what you were thinking of.

Configuring Secure Shell (SSH) Access

To enable SSH, besides the command below, the device hostname and ip domain name must be configured.

Router(config)# crypto key generate rsa

(generate SSH key pair to support remote SSH access)

Of course your version of IOS must support it.



jwynacht Thu, 05/29/2008 - 05:55
User Badges:

I'm looking to do two things:

1. Remotely configure the router when needed.

2. Remotely access the network on the inside of the router. So ssh to the router then ssh to a server on the side. That's where I thought the VPN made the most sense.

What do you think?


1. You can do it without any problems as desribed earlier. You need the appropriate IOS and follow the steps to enable ssh.

2. I'm not sure whether you will be able to ssh from the router to the server, but instead you can ssh to the server directly if not behind NAT (so its address is routed on your network) or if behind NAT you make a static translation for a given port which is mapped to the server on the inside network.

Hope it help, rate if does,


jwynacht Thu, 05/29/2008 - 05:54
User Badges:

Thanks! I'll have to upgrade my IOS for this but it will be worth it.


This Discussion