Configure console and remote access

Connecting to a Cisco switch/router through the serial ports needs these settings:

Speed :     9600 bauds
Data bits : 8 bits
Stop bits : 1 bit
Parity :      none
Flow control : none

Most often we will use a rollover cable (serial-to-VGA) plugged to a VGA-to-USB adapter.

To set a simple password the old fashioned way:

R1> enable
R1# configuration terminal
R1(config)# enable password Cisco

As said before, this is the old fashioned way of doing things and should never be used in anything but really old Cisco gear. Why? Because it is extremely insecure:

R1(config)# do show running-config | section password
no service password-encryption
enable password Cisco

We see that the password is saved in plain text and viewable in the current device configuration. If we are unfortunate enough to work with old Cisco gear, the least we can do is to encrypt (with mode 7) the current and future passwords:

R1(config)# service password-encryption
R1(config)# do show running-config | section password
service password-encryption
enable password SE#C#cd$VDS#$

Even then, the encryption is weak and can be cracked in seconds with rainbow tables.

To set the password with proper encryption (mode 5):

R1(config)# enable secret CCNA
R1(config)# do show running-config | section secret
enable secret 5 $1$s6u8$.myG9YbZXWo8/V.UxwBRTQ

Now we can get rid of the old password:

R1(config)# no enable password
R1(config)# do show running-config | section password
service password-encryption

What we have done so far is protect access to privileged user level (and by extension to configuration mode). But without further action any user that connects to the device can still get usable information:

R1>show ?
access-lists List access lists
arp ARP table
cdp CDP information
clock Display the system clock
configuration Contents of Non-Volatile memory
controllers Interface controller status
flash display information about flash: file system
frame-relay Frame-Relay information
history Display the session command history
hosts IP domain-name, nameservers, and host table
interfaces Interface status and configuration
ip IP information
ipv6 IPv6 information
isdn ISDN information
mpls MPLS information
ntp Network time protocol
policy-map Show QoS Policy Map
sessions Information about Telnet connections
terminal Display terminal configuration parameters
users Display information about terminal lines
version System hardware and software status

To secure access to the console without usernames:

R1(config)# line console 0           /* configure the console of which there is only one! */
R1(config-line)# password whatever   /* set the password */
R1(config-line)# login               /* enforce the use of the password */
R1(config-line)# end                 /* exit and login again and you’ll be prompted for the password */
R1(config)# exit

To do the same for specific users:

R1(config)# line console 0                      /* configure the console of which there is only one! */
R1(config-line)# user marc password whatever    /* set the user + password */
R1(config-line)# user marc secret whatever      /* same but more secure! */
R1(config-line)# login local                    /* enforce the use of user + password */
R1(config-line)# end                            /* exit and login again and you’ll be prompted for the password */
R1(config)# exit

Now when we login using the console we will have to first type the console password and then the password we set to protect privileged access (we set it to “CCNA” further up).

What about remote access to the device? To secure remote connections:

R1(config)# enable secret whatever                /* remote access is disabled unless password/secret are locally enforced! */
R1(config)# user marc password whatever           /* set the user + password */
R1(config)# access-list 1 permit host 10.1.1.5    /* create ACL to limit allowed hosts/networks */
R1(config)# ip ssh version 2                      /* disallow SSHv1 ! */
R1(config)# line vty 0 15                         /* configure the remote connection settings */
R1(config-line)# login local                      /* enforce the use of user + password */
R1(config-line)# exec-timeout 5 30                /* enforce inactivity timeout after 5 mins and 30 secs */
R1(config-line)# transport input telnet           /* allow only telnet */
R1(config-line)# transport input ssh              /* allow only ssh */
R1(config-line)# transport input telnet ssh       /* allow both */
R1(config-line)# transport input all              /* allow all protocols */
R1(config-line)# transport input none             /* prevent remote connections */
R1(config-line)# access-class 1 in                /* enforce ACL 1 (access-class is used only for vty lines)*/

To check if SSH is supported and enabled in our device:

R1# show ip ssh
SSH Disabled

To enable SSH:

R1(config)# ip domain name example.com              /* FQDN needed for RSA key! */
R1(config)# crypto key generate rsa                 /* create RSA key and then decide on key bit size */
R1(config)# crypto key generate rsa modulus 2048    /* create RSA key with explicit key bit size */

To save the active settings we can use either of these:

R1(config)# write
R1(config)# write memory
R1(config)# copy running-settings startup-settings

As we are bound to configure console and remote access in the initial steps, we can also add a few tweaks to make our lives easier.

The default iOS escape sequence is ctrl-^x, or “control-shift-6, x”, as we can see from the output of show terminal:

R1# show terminal
Line 6, Location: “”, Type: “xterm”
Length: 25 lines, Width: 120 columns
Baud rate (TX/RX) is 9600/9600
Status: PSI Enabled, Ready, Active, No Exit Banner, Automore On
Notify Process
Capabilities: none
Modem state: Ready
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none – – none
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
never never none not set

For convenience we might want to switch it to the more common Ctrl+C which is ASCII character 3:

R1(config)# line vty 0 15
R1(config-line)# escape-character ?
BREAK Cause escape on BREAK
CHAR or Escape character or its ASCII decimal equivalent
DEFAULT Use default escape character
NONE Disable escape entirely
soft Set the soft escape character for this line
Router(config-line)# escape-character 3

Then we might want to increase the command history size from the paltry default of 10 to a higher number:

R1(config)# line vty 0 15
R1(config-line)# history size ?
Size of history buffer
R1(config-line)# history size 100

Another option is to disable paging and get rid of those annoying “–More–” lines:

R1# terminal length 0

When we are in user or privileged mode and mistype a command, the default action is to telnet to that fake host. If we have DNS enabled the might result in a long wait before we get our prompt back. To avoid that we should disable the default action of telnetting…

R1(config-line)# transport preferred none

… and we can also disable DNS resolution if we do not intend to use it:

R1(config-line)# no ip domain-lookup

Another annoying default of iOS is to send synchronous messages to our terminal. That very often mangles the command we are typing or the output we are reading. To get rid of that:

R1(config-line)# logging synchronous

And to finish it off, a security must is to setup some idle time after which the terminal is locked and a password is requested again. To set that idle time to 5 minutes and 0 seconds:

R1(config-line)# exec-timeout 5 0

Fundamental Security Concepts <- Previous          Next -> Port Security