By using SSH tunneling you can get secure access to internal resources, without a VPN setup. With SSH tunneling a networking engineer can access the customers or his own network remotely.

What can be done to enable the possibility of remote management in a secure manner, build a “Jump” server this is a step-stone solution. For the “Jump” server u can use any variety of OS es, like Windows or a Linux distribution that is capable of hosting a SSH server. I myself prefer to use a Linux distribution, like Debian or Ubuntu. An example of an SSH service is OpenSSHon linux and Cygwin for windows.

In this post the following will be explained:

  • How to setup an SSH session with a tunnel with putty,
  • How to setup an SSH session with a tunnel with Plink.

Requirements

To make a setup with a “Jump” server work it needs tho have the following:

  • Reachable from the location where u want to connect from,
  • “Jump” server must be able to connect to the target equipment.

Note

When making a SSH service accessible from the internet, be sure to do this as secure as possible. Strip the server of all non essential services, this will make the attack surface as small as possible. Make the authentication as strong as possible, for example make use of a 2 way authentication mechanism, make use of strong passwords also it is possible to make use of tokens.

Setup an SSH session with a tunnel

First u need to setup an normal SSH session with a preconfigured SSH tunnel, i will show u an example with Putty (GUI) and with Plink (CLI).

Setup an SSH tunnel with Putty

To do this u need to have putty, after that open putty. To setup an new SSH session do the following:
Cisco ASDM over SSL tunnel - Putty config 1

Fill in the following fields correctly:

  • Host name or IP address
    This is the IP/DNS adres where the “Jump” server can be reached on.
  • Port
    This is the Destination port on witch the SSH server is responding, typical this is TCP port 22.
  • Saved Sessions (Optional)
    Without filling this in u can connect to the remote host by pressing “Open”. After putty have been shut down or if the session is discontinued, the destination will not be listed any more. U can save a server, to identify it u need to give it a name this hace a local significance.

To configure an tunnel to be used within this SSH session do the following:
Cisco ASDM over SSL tunnel - Putty config 2

Go to Connection –> SSH –> Tunnels

Fill in the following fields correctly:

  • Source port
    This is the port that will be used locally to redirect traffic thru the SSH session to the remote host.
  • Destination
    This is the remote host, this composes of 2 components <Destination IP>:<Destination Port>.

After an connection have been set up, it will be possible to connect from the client to 127.0.0.1 on TCP/<Port>. The traffic is forwarded by the SSH client to the SSH server from there it’s send to the destination IP address with the specified port.

Setup an SSH tunnel with Plink

To do this u need to have Plink.
The advice is to put “Plink.exe” in the C:\Windows\System32\ folder, sow u will be able to access it easier from command line.

PuTTY Link: command-line connection utility
Release 0.62
Usage: plink [options] [user@]host [command]
(“host” can also be a PuTTY saved session name)

Options:
-V print version information and exit
-pgpfp print PGP key fingerprints and exit
-v show verbose messages
-load sessname Load settings from saved session
-ssh -telnet -rlogin -raw -serial
force use of a particular protocol
-P port connect to specified port
-l user connect with specified username
-batch disable all interactive prompts

The following options only apply to SSH connections:
-pw passw login with specified password
-D [listen-IP:] listen-port
Dynamic SOCKS-based port forwarding
-L [listen-IP:] listen-port:host:port
Forward local port to remote address
-R [listen-IP:] listen-port:host:port
Forward remote port to local address
-X -x enable / disable X11 forwarding
-A -a enable / disable agent forwarding
-t -T enable / disable pty allocation
-1 -2 force use of particular protocol version
-4 -6 force use of IPv4 or IPv6
-C enable compression
-i key private key file for authentication
-noagent disable use of Pageant
-agent enable use of Pageant
-m file read remote command(s) from file
-s remote command is an SSH subsystem (SSH-2 only)
-N don’t start a shell/command (SSH-2 only)
-nc host:port open tunnel in place of session (SSH-2 only)
-sercfg configuration-string (e.g. 19200,8,n,1,X)
Specify the serial configuration (serial only)

To setup a tunneling connection execute the following command:

plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:<Port>:<Destination IP>:<Destination Port> <username>@<SSH server>

The command configures a SSH connection to <SSH server> using username <username>. All connections from the client to 127.0.0.1 on TCP/<Port> are forwarded by the SSH client to the SSH server from there it’s send to the destination IP address with the specified port. You can add more tunnel statements to, by just adding another –L command, like shown below.

plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:<Port>:<Destination IP>:<Destination Port> -L 127.0.0.1:<Random Port>:<Destination IP>:<Destination Port> <username>@<SSH server>

Example:

plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:5443:192.168.1.100:443 -L 127.0.0.1:5444:192.168.1.200:443 test@1.2.3.4

When u need to run a command like this more often it saves a lot of time to do this in a batch script. After executing the script u will be prompted with the password for that account.

@echo off
plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:5443:192.168.1.100:443 -L 127.0.0.1:5444:192.168.1.200:443 test@1.2.3.4

Leave a Reply

Your email address will not be published. Required fields are marked *