We're using a Cisco 1720 to host a VPN connection, provide NAT for web access, and host a sendmail server on a static IP, simultaneously. We get generally good performance in this arrangement, with about 100 users using the NAT, and about 60 max simultaneously. I'm pleased with the security that using a thoughtful ACL can provide, but I do not like having the telnet open to the web. I need to be able to access the routers from outside the facility, however.
I've read that IOS from 12.0 on is expected to support SSH, but I can't find reference to the posted commands in my router. It's a 1720 with a WIC-1ENET card, running 12.1(5)YB1. It has 24576K/8192K as well.
Can I enable SSH on this router?
Alternative: Rate on a scale of 1 to 10, with 10 being rock-solid, and 1 being porous, the following scenario:
I am thinking of disabling telnet to the router's external (public) interface. Instead, I would create an access-list that allows SSH traffic that has been remapped to an unused port number, like 4235 or 99 or 7722 or whatever. Then, I set the router to forward SSH packets or protocol number to a linux box on my network, which receives SSH connections and permits outbound telnet sessions. Is this a secure option?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...