Telnet client from Windows, and have it as an “Optional Extra”. For most people that’s fine, but for anyone who programs network devices, or needs to test that ports are open, or test mail flow by telnet to port 25, that’s a pain.
Having the ability to remotely administer network devices, means I don’t have to get my lazy carcass out of my chair and start fishing console cables out of my bag, also it saves on shoe leather, and travelling time.
Solution
Cisco Router / Switch – Setup Telnet Access
These days people frown at Telnet. It’s an insecure protocol so your password is sent in clear text over the wire, and can be seen by anyone sniffing traffic. For that reason SSH is preferred, but for completeness I’ll start with Telnet.
1. Log in the the device > Go to enable mode > Go to configuration mode > Enable Telnet and set a password.
[box]
Router0>enable
Router0#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#line vty 0 4
Router0(config-line)#transport input telnet
Router0(config-line)# password P@ssword123
[/box]
2. Save the changes and test.
[box]
Router0(config)#exit
Router0#write mem
Building configuration...
[OK]
Router0#
[/box]
Cisco Router / Switch – Setup SSH Access
1. SSH is a little more involved, before you can connect via SSH, you need a certificate, and before you can generate a certificate, you need a host name and a domain name.
[box]
Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)
Petes-Router(config)#
[/box]
2. Another prerequisite is you need usernames and passwords, these can be managed by a separate AAA solution like RADIUS, TACACS+, or Active Directory. But for this example I’ll simply set them up on the device, and use local authentication.
Note: I set myself up with privilege 15, this means when I log on, I automatically log on at enable mode, the other user account does not, and needs to know the enable password to make any changes.
3. Finally allow remote management via SSH, and save the changes.
[box]
Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input ssh
Petes-Router(config-line)#exit
Petes-Router(config)#exit
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router#
[/box]
4.Finally you need to enable AAA Authentication to use the local database;
[box]
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default local
Petes-Router(config)#aaa authorization exec default local
[/box]
WARNING
This also will enable username/password authentication for ‘console‘ (rollover cable) access. I dont like that, so I remove that with the following commands;
Cisco Router – Restricting Telnet and SSH Access via Access List
You can lock down access further to remote management, by allowing or denying access from an ACL.
WARNING: If doing this remotely, and just using SSH remember to generate the key and create users FIRST, or you may lock yourself out. If you are worried schedule a reload in twenty minutes, do the work, if it works cancel the reload, if it all explodes, go have a coffee, when you come back it will have reverted back!
Schedule a Router Reload
[box]
Petes-Router#reload in 20
Reload scheduled in 20 minutes by petelong on vty0 (123.123.123.123)
Reload reason: Reload Command
Proceed with reload? [confirm] {Enter}
Petes-Router#
---CARRY OUT THE CHANGES---
Petes-Router#reload cancel
Petes-Router#
***
*** --- SHUTDOWN ABORTED ---
***
[/box]
1. From the top let’s create a user, and setup the RSA key, (skip this step if you have already done this).
[box]
Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)
Petes-Router(config)#
[/box]
2. Now create an access-list to allow and deny access, (usual ACL rules apply).
Petes-Router(config)#ip access-list extended VTY_ACCESS
Petes-Router(config-ext-nacl)#10 permit tcp 123.123.123.123 0.0.0.0 any eq 23
Petes-Router(config-ext-nacl)#20 permit tcp 123.123.123.123 0.0.0.0 any eq 22
Petes-Router(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23
Petes-Router(config-ext-nacl)#100 deny ip any any
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#
[/box]
2. In this example I will set the transport input to all (that’s TelnetANDSSH), then lock access down the the ACL we have just created.
[box]
Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input all
Petes-Router(config-line)#login local
Petes-Router(config-line)#access-class VTY_ACCESS in
Petes-Router(config-line)#exit
Petes-Router(config)#exit
[/box]
3. Save your changes and test.
[box]
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router#
[/box]
Related Articles, References, Credits, or External Links