Cisco Router as Terminal Server with SSH Line Access

Example of how to use a Cisco router as a terminal server using an NM-32A 32-port async serial line card. In use with 2811's and IOS 12.4T. SSH is used to securely make the serial lines available on the network. Be aware that SSH requires a username/password combination, hence this is not like when you simply bind the serial ports to telnet and can hit a port and suddenly be dumped onto the console of a device. But from a security perspective this is so much better. If you have to deal with PCI-DSS compliance then this also means you won't have any dramas with audits. My logical line number and port number association works like this: - Rotary group numbering starts at 1 (can't use 0 for some reason), so - Rotary line N command binds rotary port base+(N-1) to async line (N-1) So if you use TCP port 3000 as the start of the rotary group line 0 on NM-32A in first slot is TCP/3000. line 0 on NM-32A in second slot would be TCP/3032. line 0 on NM-32A in third slot would be port TCP/3064 etc. Assumptions: - You've already enabled SSH on your device (preferably enforcing v2 only etc) - You've already enabled aaa new-model and created local users and/or are using AAA authentication. Notes: - 15 minute session timeout based on line output (characters going onto the serial line) enforced to avoid hung sessions leaving lines open. - You should also use a 15 minute SSH timeout - You should also use a console timeout on each connected device to avoid leaving logged in sessions on console for other people to suddenly pop into.

cstubbs
February 16, 2012






!##### 99 rotary lines, first rotary line is on TCP/3000
ip ssh port 3000 rotary 1 99
!
interface Loopback10
 description <<< Local Port Listening Loopback >>>
 ip address %{LOOPBACK_IP}% 255.255.255.255
!
!##### Local host aliases point to the rotary ports and the loopback10 IP address.
ip host %{HOSTNAME_01}% 3000 %{LOOPBACK_IP}%
ip host %{HOSTNAME_01}% 3001 %{LOOPBACK_IP}%
ip host %{HOSTNAME_01}% 3002 %{LOOPBACK_IP}%
!
!#### Set default options for all serial lines. 
line 1/0 1/31
 session-timeout 15 output
 location <<< UNUSED >>>
 no exec
 transport input ssh
!
!#### Now bind rotary lines to each async line
line 1/0
 location <<< %{LINE0_DEV_DESCR}% >>>
 rotary 1
line 1/1
 location <<< %{LINE1_DEV_DESCR}% >>>
 rotary 2
!################ REMOVED FOR BREVITY ################
line 1/30
 location <<< %{LINE30_DEV_DESCR}% >>>
 rotary 31
line 1/31
 location <<< %{LINE31_DEV_DESCR}% >>>
 rotary 32
!