I have many routers set up as VPN's. Sometimes I have to access the routers using their public IP via telnet, is this sent in clear text? If so do you recommend ssh? If so how can I set this up on a Cisco 877 or 1841?
Telnet data is sent in clear text. It's certainly a good idea to use SSH to access network devices especially when going through a public network like Internet. As you are probably aware SSH would encrypt all data between the client/server and even if someone gets a hand on the data it's of no use.
From a security perspective SSH is much better than telnet. If you are telnetting through the VPN to a router inside address it does not matter much since the traffic will be encrypted. But telnetting to the public address does create some exposure. It is good that you have a rule to only accept telnet from your source address. But there is still exposure. Someone could observe the traffic and could learn your user ID and password. What could they do if they knew your address, your user ID, and your password?
While that is not a high degree of risk it is still some risk and why take any risk when a better solution is available? Since the routers are running VPN they already have the crypto image and therefore will support SSH. Basically as long as they have a host name and a domain name configured all you need to do is to generate RSA keys and then SSH is ready to go. It would certainly be a best practice to use SSH - especially for access to outside interfaces of these routers.
I see what you are saying. A few things, what would my domain be, my windows domain? Would I add ssh the remove the telnet settings, sorry this a area I'm not sure about. Do you have an example Rick? Many thanks in advance.
The domain for the router is generally the domain name used in DNS. I assume that there is some DNS domain name for CBS Outdoor Ltd and that is what I would use for the router.
Telnet and SSH can coexist. If you want to continue to use telnet to inside addresses (through the VPN) and SSH to outside addresses you do not need to remove anything. If you decide that you want to change your policy and only use SSH for remote access to the routers then you could configure under the vty lines:
I do not know the authoritative answer about why it requires a domain name. My assumption is that they want a domain name because they want a complete and unique identification of the device. What I do know (from hard experience) is that without a domain name configured the key will not generate.
If you want to keep your telnet option then the config needs to have this:
transport input ssh telnet
if you only list ssh as the transport then it is the only one allowed. By listing both ssh and telnet then both are allowed.
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...