Questions on security paradigms

nedstar1 · ‎05-14-2001

Hi.

We're using a Cisco 1720 to host a VPN connection, provide NAT for web access, and host a sendmail server on a static IP, simultaneously. We get generally good performance in this arrangement, with about 100 users using the NAT, and about 60 max simultaneously. I'm pleased with the security that using a thoughtful ACL can provide, but I do not like having the telnet open to the web. I need to be able to access the routers from outside the facility, however.

I've read that IOS from 12.0 on is expected to support SSH, but I can't find reference to the posted commands in my router. It's a 1720 with a WIC-1ENET card, running 12.1(5)YB1. It has 24576K/8192K as well.

Can I enable SSH on this router?

Alternative: Rate on a scale of 1 to 10, with 10 being rock-solid, and 1 being porous, the following scenario:

I am thinking of disabling telnet to the router's external (public) interface. Instead, I would create an access-list that allows SSH traffic that has been remapped to an unused port number, like 4235 or 99 or 7722 or whatever. Then, I set the router to forward SSH packets or protocol number to a linux box on my network, which receives SSH connections and permits outbound telnet sessions. Is this a secure option?

thomas.chen · ‎05-17-2001

According to the following document: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/sshv1.htm it looks like you have it on 12.1(5)YB1 as long as you have an IPSEC image. The prerequisites say “IPSec Software Image Required” so make sure you have that feature set. I think 12.0 only supported SSH on the 7200, 7500 and 12000 series routers.