Options
Telneting to home lab from outside
superkingkong
Member Posts: 23 ■□□□□□□□□□
in CCNA & CCENT
Hi guys,
I know there are few threads on this topic out there but i didn't get what i wanted to know.
I have a small cisco ccna home lab. I would like to access it from outside world, i mean telneting, and later when i get to know where to put and what equipments i need for the topology, i'll move on to ssh.
currently i have linksys wrt54g connected to a comcast cable modem. so my laptop would be connected to it wirelessly.
i have setup a wireless bridge using wrt54gs with DD-WRT firmware in my room, where the cisco lab is.
so i would appreciate if i can get some information as to what equipments i need to achieve this and with security in place.
i have 4x Cisco 2600, 2x cisco cat 2950 and a cisco 2511.
so, currently, the topology, as i've explained earlier:
Comcast -> Linksys WRT54G -> Linksys WRT54GS -> Cisco home lab
Network for linksys routers: 10.110.10.0
(WRT-54G is a dhcp server. All clients connected to WRT54G and WRT54GS can obtain an IP address dynamically)
Cisco lab network: 10.1.1.0
From what i've gathered, i can put my Cisco 2511 right after Linksys WRT54GS with e0 as 10.110.10.3 (Eg)
So, if i'm going to telnet to the public address at Linksys WRT54G, i would reach the cisco 2511, right? (if i've enable port forwarding for 22 to 10.110.10.3 at WRT-54G - the router that is connected to comcast)
and if this is the case, it would be quite risky? since if someone could guess my ddns address.
how can i make it more secure?
what if i'm going to put another router in between the wireless bridge WRT-54GS - Router (2600 or 1721) - Cisco 2511?
so, that means, WRT-54GS - > 10.110.10.0 FE0/0(Router 2621)FE0/1 10.1.1.1 - 10.1.1.2 E0(Cisco 2511).
Is this possible? will it be more secure? or it's overkill?
I've read somewhere that it's better to put a router with a 12.4 IOS before cisco2511 to be more secure. Since 2600 can only have an IOS of 12.3 whereas a 1721 can have a 12.4, it should be better, right?
and with this, if i'm going to telnet to my ddns, where do i need to set things up, like port forwarding? in WRT54G? or the Cisco 2621?
Appreciate if you guys could help me on this. I'm quite a newbie in this. I just like to "learn" network stuff. It's not just because of CCNA.
I could only ask here because i don't have friends in networking. So, i guess, it's just me and i could only get answers from the net.
Thanks in advance. i really do appreciate it.
Take care.
I know there are few threads on this topic out there but i didn't get what i wanted to know.
I have a small cisco ccna home lab. I would like to access it from outside world, i mean telneting, and later when i get to know where to put and what equipments i need for the topology, i'll move on to ssh.
currently i have linksys wrt54g connected to a comcast cable modem. so my laptop would be connected to it wirelessly.
i have setup a wireless bridge using wrt54gs with DD-WRT firmware in my room, where the cisco lab is.
so i would appreciate if i can get some information as to what equipments i need to achieve this and with security in place.
i have 4x Cisco 2600, 2x cisco cat 2950 and a cisco 2511.
so, currently, the topology, as i've explained earlier:
Comcast -> Linksys WRT54G -> Linksys WRT54GS -> Cisco home lab
Network for linksys routers: 10.110.10.0
(WRT-54G is a dhcp server. All clients connected to WRT54G and WRT54GS can obtain an IP address dynamically)
Cisco lab network: 10.1.1.0
From what i've gathered, i can put my Cisco 2511 right after Linksys WRT54GS with e0 as 10.110.10.3 (Eg)
So, if i'm going to telnet to the public address at Linksys WRT54G, i would reach the cisco 2511, right? (if i've enable port forwarding for 22 to 10.110.10.3 at WRT-54G - the router that is connected to comcast)
and if this is the case, it would be quite risky? since if someone could guess my ddns address.
how can i make it more secure?
what if i'm going to put another router in between the wireless bridge WRT-54GS - Router (2600 or 1721) - Cisco 2511?
so, that means, WRT-54GS - > 10.110.10.0 FE0/0(Router 2621)FE0/1 10.1.1.1 - 10.1.1.2 E0(Cisco 2511).
Is this possible? will it be more secure? or it's overkill?
I've read somewhere that it's better to put a router with a 12.4 IOS before cisco2511 to be more secure. Since 2600 can only have an IOS of 12.3 whereas a 1721 can have a 12.4, it should be better, right?
and with this, if i'm going to telnet to my ddns, where do i need to set things up, like port forwarding? in WRT54G? or the Cisco 2621?
Appreciate if you guys could help me on this. I'm quite a newbie in this. I just like to "learn" network stuff. It's not just because of CCNA.
I could only ask here because i don't have friends in networking. So, i guess, it's just me and i could only get answers from the net.
Thanks in advance. i really do appreciate it.
Take care.
Comments
-
Optionsstuh84
Member Posts: 503
Want to make it more secure? Use SSH, or do what I do, have a linux box running at home to SSH into, and then you can access your lab from there.Work In Progress: CCIE R&S Written
CCIE Progress - Hours reading - 15, hours labbing - 1 -
Options
Paul Boz
Member Posts: 2,620 ■■■■■■■■□□
Regardless of your topology, you really should set up SSH to start. Telnet is an inherently weak protocol, as all data is sent in clear-text. Beyond using a more secure protocol such as SSH, you should seriously reconsider making your administrative ports accessible to the general Internet. It may be convenient for testing, but one of the fundamental considerations of network security is controlling access to admin ports. If you practice bad practices you'll preach them at work.
My best advice would be to set up a VPN to an internal computer (your desktop, for example) using a free solution like OpenVPN. I would then access your lab through the VPN. If that is too much of a burden consider setting up SSH and creating access lists on the SSH ports which restrict access to all but specific external hosts. This really comes down to where you'll be accessing your lab though. If you're accessing it from a university or from ad-hoc networks you may as well just leave the service exposed. If you're only connecting in from specific IP addresses this is much more manageable.
Also, for some side advice, stop using a Linksys box for your CPE and use one of your 2600's or something more powerful. Being able to configure a standard broadband internet connection on a Cisco router is a fundamental concept and its good practice to do it at home. If you want to be fancy you can spring for an ASA. If you want to get good at networking stop thinking like a consumer and start thinking like you're setting up a work environment. Practical application is the best way to learn. I didn't do much QoS at work when I did the CCNP and CCIP but set it up at home to prioritize my xbox live & Playstation Network traffic ahead of other stuff like bittorrent and http traffic and subsequently didn't have a problem with QoS on those cert attempts. Just keep thinking of ways to apply your knowledge to stay sharp and you'll be good at this in the end.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
Optionssuperkingkong
Member Posts: 23 ■□□□□□□□□□
Thanks for the advice. I really appreciate that.
I guess i'll be using ssh.
By the way, what do you mean by administrative port? Which port are you referring to?
The problem is i don't have a desktop or server at home. I only have a laptop with me. so, i guess i can't vpn to a pc/server at home.
"If that is too much of a burden consider setting up SSH and creating access lists on the SSH ports which restrict access to all but specific external hosts."
May i know on which router do i setup the access lists? the 2511? or the 2621 (between wrt54gs and 2511)?
Assuming i have fix IP at my office, would it be possible to guide me on the access lists on the ssh ports?
Yup, it will be my next step of setting up the 2600 for broadband connection :P
Thank you, again. -
Options
ZZOmega
Member Posts: 24 ■□□□□□□□□□
I haven't yet thought about practical applications of CCNA curriculum, but your situation is interesting. Now, I don't know much at all, but I'll throw in what I can.
Unless you can obtain a static IP, securing this network will (probably) only consist of:
Encrypted passwords, such as your VTY line as well as privileged EXEC
Using an obscure address for your Virtual Terminal line, such as in the middle of a subnet
Limiting access to one session available at any time, depending on your router you'll have either 5 or 16 possible simultaneous virtual connections available
.....and I can't really think of anything else.
If you have a static IP, just create an extended ACL to allow only your static IP for SSH, on the interface of whichever router you please.
Also, about port forwarding, I'd say every device from the demarc to your Cisco lab/whichever device you're planning to SSH.
Please let me know if anything I said was wrong or could be done more efficiently at the CCNA level of knowledge, I'm studying for the exam currently! :P
Hope this helps,
Devon