Home lab access from internet

JayrodEF

Hey all, just curious as I'm going to be starting my CCNA studies in a few weeks. I have three routers as of now, a 2501, a 2509, and a 2514. Right now they're just on a rack not really wired to anything. I've got the 2509 setup so I can use the console cable and get into the 2509 then into the other two routers. I can also telnet to the 2509's ethernet port and get into the other routers. Right now I have that 2509's ethernet port hooked up to a D-link wireless router w/4 port switch which is then connected to my cable modem. My quesiton: Is there a way to set this up so I can telnet into the 2509 remotely from anywhere on the internet? My ISP IP address is dynamic, but I don't think it's ever changed. I've configured port 23 forwarding on the D-link router to the ethernet interface on the 2509, but that hasn't done the trick and I haven't had time to play around with it more or do any research. If someone has done this, please let me know. I'm sure I'll figure it out when my studies begin, but I'm just curious now. Thanks!

mikej412

I've never understood the desire to hook up a lab to the internet before you understand what you're doing

Most likely it's not working because you don't have a default route back out to the internet from the 2509.

Check out this thread and the links in it for more ideas. Also this Connecting to Routers Remotely thread.

JayrodEF

not really interested in doing anything specific with it at this point. Just wondering what the process is and how one would potentially do it. Thank you for the links.

Vito_Corleone

I have a Linux box at my house, I use SSH to connect to that and then Telnet to whatever device I want to use.

All you should have to do it forward the ports properly and setup the routes.

dynamik

See if your router supports dynamic DNS. Mine does, and it allows me to use a variety of different DDNS providers. Subscriptions are typically $10-15/year, and you'll be able to use whatever.com to connect to your device, even if it's IP changes.

You can get by without it though. Your IP should continue to be renewed, and you will most likely keep it for very long periods of time. I use it more for convenience than necessity.

mgeorge

I definately agree with mike. Alot of people new to Cisco wanting to get to the lab over the internet
and really dont understand the security risk or being able to successfully deploy it publically.

First off you should probably never use telnet over the internet unless your using it over a vpn
also dont use the "enable secret" authentication, use local usernames and passwords. This
prevents a brute force attack. Also if you have the ability to use 12.4 (which requires you to use
a 2600XM and NM-16A or NM-32A) you can set it up to block ip addresses by a dynamic acl if
users trying to authenticate provide invalid credentials more then x amount of times.

Or if ya want to go way out and use Cisco ACS or active directory authentication via radius then
that helps even more

Netwurk

I have a Cisco 2621 set up as a DSL router. I telnet into it by using the public IP address my ISP gives me. Previously I used a 2514 for this, works almost as good.

If your public IP changes often, there is a free dynamic DNS service out on http://www.no-ip.com/

Allowing telnet to your router over the internet does have some security risks, but for a home network you're not likely to be a target of a hacker.

sprkymrk

Vito_Corleone wrote:

I have a Linux box at my house, I use SSH to connect to that and then Telnet to whatever device I want to use.

All you should have to do it forward the ports properly and setup the routes.

This is the best way to do it, use SSH to connect on port 22 to a linux box. Set up the linux firewall to only allow connections from your work IP address. Open up port 22 on the D-Link. You don't need to forward the port, just open it up.
If you don't want to go to the trouble of setting up an intermediate linux box, you might try just opening port 23 on the router. What model D-Link do you have?

Netwurk wrote:

Allowing telnet to your router over the internet does have some security risks, but for a home network you're not likely to be a target of a hacker.

I would disagree. Many hackers simply run scans looking for open ports. If yours pops up on the radar you'll be targeted in a heart beat. That's one way "zombie armies" are created. I have port 22 open on my router and I can watch the brute force attempts fill my logs all day if I want to. The linux box itself (the only thing I have running sshd) is protected as I mentioned above to only allow connections from my work IP.

mgeorge27 wrote:

First off you should probably never use telnet over the internet unless your using it over a vpn also dont use the "enable secret" authentication, use local usernames and passwords. This prevents a brute force attack.

I agree with using telnet via VPN only. I am not sure I follow your second comment though. Are you saying that using local user names and passwords prevents brute force attacks? If so, how?Or are you saying that using a VPN prevents brute force attacks?

JayrodEF

Thanks for all the replies folks. Reading the other threads that were linked in this discussion I realized I already had access to it from the internet, just didn't think about it that way. I can already RDP into my home computer which is connected to my lab, so that makes it pretty easy. Just never put 2 and 2 together for some reason. I was too focused on trying to get directly into the routers. I don't really like the idea of telneting over the internet so the other suggestions are great. I'd definitely like to play around with the other options that were mentioned, but I'll have to wait till I have a more firm grasp on the material.

mgeorge

I'm saying both could prevent brute forces if used correctly.

If you use local authentication, not only would attackers have to know the password, but
they would need to know the username associated with the password that of which must have
lvl 15 privledges locally.

If you use VPN you can use telnet and not even use a password if you only make it accessable
from the subnet that of which ip's are given to vpn clients.

APA

You need to configure at least a vty password to have the abilty to use vty lines as a connection option......

sprkymrk

mgeorge27 wrote:

If you use local authentication, not only would attackers have to know the password, but they would need to know the username associated with the password that of which must have lvl 15 privledges locally.

Brute force attacks can also brute force username/pw combos. I've seen it it my logs as well. They try all the common stuff like admin, administrator, root, mgeorge27, mgeorge, matt, matt.george, and a plethora of other random names also culled from a dictionary list of usernames. So unless you use the dynamic ACL or some other feature a brute force could work on an "always on" Internet connected host. Granted, it would be harder and take longer, especially if strong passwords are used.

It wouldn't necessarily have to be a lvl15 either, as priveledge escalation attacks or even just the information gleaned from lower levels could gain the attacker enough information to try another method of gaining access.

Vito_Corleone

sprkymrk wrote:

Vito_Corleone wrote:

I have a Linux box at my house, I use SSH to connect to that and then Telnet to whatever device I want to use.

All you should have to do it forward the ports properly and setup the routes.

This is the best way to do it, use SSH to connect on port 22 to a linux box. Set up the linux firewall to only allow connections from your work IP address. Open up port 22 on the D-Link. You don't need to forward the port, just open it up.
If you don't want to go to the trouble of setting up an intermediate linux box, you might try just opening port 23 on the router. What model D-Link do you have?

Actually, I don't use the default port (22) internally, I try to avoid being the target of brute force attacks.

When you say "open it up", what do you mean? You will have to tell the router to forward traffic on port XXXX to host XXXX. I don't understand what you mean.

sprkymrk

Vito_Corleone wrote:

When you say "open it up", what do you mean? You will have to tell the router to forward traffic on port XXXX to host XXXX. I don't understand what you mean.

You don't have to forward traffic to a particular host. In the Cisco world, think of an ACL.

access-list 101 permit tcp any any eq 23

This just allows traffic on port 23 from any host to any host through the router.

EDIT - My bad, I just realized we are talking about private IP's, so yes, you would have to use forwarding in this case. Sorry!

Vito_Corleone

sprkymrk wrote:

EDIT - My bad, I just realized we are talking about private IP's, so yes, you would have to use forwarding in this case. Sorry!

Ah ha, makes sense now. You had me there for a second.