Cisco Router – Setup Remote Telnet/SSH Management

KB ID 0000934 Dtd 02/14/14

Problem

Having the ability to remotely administer network devices, means I don't have to get my lazy carcass out of my chair and start fishing console cables out of my bag, also it saves on shoe leather, and travelling time.

remote administration

Solution

Cisco Router / Switch - Setup Telnet Access

These days people frown at Telnet. It's an insecure protocol so your password is sent in clear text over the wire, and can be seen by anyone sniffing traffic. For that reason SSH is preferred, but for completeness I'll start with Telnet.

1. Log in the the device > Go to enable mode > Go to configuration mode > Enable Telnet and set a password.

Router0>enable
Router0#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#line vty 0 4
Router0(config-line)#transport input telnet 
Router0(config-line)# password P@ssword123

2. Save the changes and test.

Router0(config)#exit
Router0#write mem 
Router0#wr mem
Building configuration...
[OK]
Router0#

Cisco Router / Switch - Setup SSH Access

1. SSH is a little more involved, before you can connect via SSH, you need a certificate, and before you can generate a certificate, you need a host name and a domain name.

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa
The name for the keys will be: Petes-Router.petenetlive.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Petes-Router(config)#

2. Another prerequisite is you need usernames and passwords, these can be managed by a separate AAA solution like RADIUS, TACACS+, or Active Directory. But for this example I'll simply set them up on the device, and use local authentication.

Note: I set myself up with privilege 15, this means when I log on, I automatically log on at enable mode, the other user account does not, and needs to know the enable password to make any changes.

Petes-Router(config)#username testuser password testpassword
Petes-Router(config)#username petelong privilege 15 password P@ssword123

3. Finally allow remote management via SSH, and save the changes.

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input ssh
Petes-Router(config-line)#exit
Petes-Router(config)#exit
Petes-Router#write mem 
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#

Cisco Router - Restricting Telnet and SSH Access via Access List

You can lock down access further to remote management, by allowing or denying access from an ACL.

WARNING: If doing this remotely, and just using SSH remember to generate the key and create users FIRST, or you may lock yourself out. If you are worried schedule a reload in twenty minutes, do the work, if it works cancel the reload, if it all explodes, go have a coffee, when you come back it will have reverted back!

Schedule a Router Reload

Petes-Router#reload in 20
Reload scheduled in 20 minutes by petelong on vty0 (123.123.123.123)
Reload reason: Reload Command
Proceed with reload? [confirm] {Enter}
Petes-Router#

---CARRY OUT THE CHANGES---

Petes-Router#reload cancel
Petes-Router#

***
*** --- SHUTDOWN ABORTED ---
***

1. From the top let's create a user, and setup the RSA key, (skip this step if you have already done this).

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa
The name for the keys will be: Petes-Router.petenetlive.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Petes-Router(config)#

2. Now create an access-list to allow and deny access, (usual ACL rules apply).

Note: Port 23 is Telnet and port 22 is SSH

Petes-Router(config)#ip access-list extended VTY_ACCESS
Petes-Router(config-ext-nacl)#10 permit tcp 123.123.123.123 0.0.0.0 any eq 23
Petes-Router(config-ext-nacl)#20 permit tcp 123.123.123.123 0.0.0.0 any eq 22
Petes-Router(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23
Petes-Router(config-ext-nacl)#100 deny ip any any
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#

2. In this example I will set the transport input to all (that's Telnet AND SSH), then lock access down the the ACL we have just created.

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input all
Petes-Router(config-line)#login local
Petes-Router(config-line)#access-class VTY_ACCESS in
Petes-Router(config-line)#exit
Petes-Router(config)#exit

3. Save your changes and test.

Petes-Router#write mem 
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#

4. UPDATE If at this point you cannot get access and the device says 'access denied', you may also need to add the following;

Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default local
Petes-Router(config)#aaa authorization exec default local

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On