Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH tunneling through a Router

Does anyone know if you can setup ssh to allow tunneling through a router. Does the ssh app within IOS allow port forwarding itself? Similar to a bsd or Linux OS? Or is this a security feature (by not allowing port forwarding)

I want to make sure that this cannot happen on any of my edge routers! I'm running a K9 image and use ssh for admin and want to make sure that it cannot be configured to forward ssh ports inside the network.

Thanks,

6 REPLIES
Silver

Re: SSH tunneling through a Router

You can NOT use the router as an ssh terminating

endpoint to jump to another box. I know exactly

what you are trying to do. Can not be done by

IOS itself.

What you can do is this:

Linux---IOS_router----Internet------hostx

on IOS router do this:

ip nat inside source static tcp 22 192.168.1.2 interface f0/0 22

ip nat inside source static tcp 3389 192.168.1.3 interface f0/0 3389

Now from hostx, you can ssh to the Linux box,

TS to 192.168.1.3 via the router IOS external

interface ip itself.

In summary, IOS ssh does not have the sshd_config where you can customize the

forwarding part. It can not even let you

configure to accept on AES256-cbc with sha-1.

CCIE Security

New Member

Re: SSH tunneling through a Router

Thanks, That is exactly what i wanted to hear. I didnt want to have to disable ssh access to my routers because of possible forwarding through the routers.

New Member

Re: SSH tunneling through a Router

I tried doing this with an ssh client, and it did not work this way. port forwarding was disabled, and i do not know how to enable it.

Silver

Re: SSH tunneling through a Router

what does not work? Can you elaborate?

CCIE Security

New Member

Re: SSH tunneling through a Router

I wanted to make sure that no one could use a cisco router via ssh tunnels on the router to create a secure tunnel through the router. I have found that you can't so that fixes my security issue. The only why someone would be able too is by modifying the configuration and i would get alarms from my monitoring and MARS system that someone changed the configuration.

Thanks,

Silver

Re: SSH tunneling through a Router

1- Enable AAA on the router,

2- Enable AAA accounting on the router,

3- monitor the AAA server, tail -f /var/log/tac_plus.log file,

4- have some script to monitor if configuration

has been changed. If it does, send you an

email.

simple right?

CCIE Security

7098
Views
0
Helpful
6
Replies