• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 787
  • Last Modified:

configuring terminal server/access server .. basic idea ?

Hi there,

I have about 9 Cisco networking devices including PIX Firewalls cisco routers & switches. I want to develop a solution where in case of a network outage, me or my team members can remotely access the devices from my home without having to rush to the colocation. Now, I remember from CCNA about AUX port in the routers used for access over the WAN through modem. But I think in that case, I would need separate modems for each of those 9 devices, right ? (Please correct me if am wrong).

I was having a read of this link
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtml

where it looks like a central device having console access to all the devices with only 1 modem required. I'm just trying to develop an understanding of how I am going to set this up so I'll break my questions into points.

1. I place this router (labelled Router 1 Terminal Server in the figure) outside the firewall and assign it a public I.P ? right ? I do have a couple of spare IP's from my public I.P pool so I can use that.

2. I can't picture how will I connect Console port of this router to all different consoles ? Do I need to use something in between ?

3. What specific modem do I need to use at my end for making a successful connection to the Aux port of this router ? Similarly, what modem at router (terminal serve) end ? Is it going to be an IP or non-IP solution ?

4. What's the significance of the this command ?
ip host 3600-2 2013 172.21.1.1.
Is it telling the Terminal server router to where its connected to the different networking devices ?

Sorry, but am trying to get the picture clear to know if it's possible to implement this setup.  What model is typically used for terminal server. Is it an actual cisco router or is it a dedicated appliance ?

Thanks.
0
nabeel92
Asked:
nabeel92
  • 8
  • 6
1 Solution
 
kaciubaCommented:
It s a cisco 2509 or 2511 access server, depending on how many units (8 or 16) you have. the 2509 has an ASYNC port at the back which you connect with an 8 port spider cable. This cable has a run to each of your router's console ports. The command ip host 3600-2 2013 172.21.1.1 is what you put on the access server. it tells the access server there is a router out port 2013. Each leg of the spider cable has its own port. So essentially you are connecting from the access-server out a designated port to a routers console port. Make sense?

Not sure about modem access. You could give the access server a public IP but beware if the access server is compromised, so are your routers. I would not recommend this.
0
 
nabeel92Author Commented:
Ok, the setup of access server makes sense now !
Does it sit outside the firewall ?

I understand the security bit but then what do organizations do who have this kind of setup ? I can put in few ACLs/inspection rules but that's about it. What are my options then ?
0
 
kaciubaCommented:
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
kaciubaCommented:
Security is a tough one.

Do you have a static IP address at home? If yes you could use a basic ACL to restrict traffic to only your public IP address.

Do you have a router/firewall at home? If yes you could set up a persistant VPN connection between the two devices. I *think* the 2509 has a security image.

If you are not too concerned about security and wanted to go with the public IP scenario, just setup SSH access to the access server with a complex password. Never use telnet across the web. It sends info in plain text. I never use telnet at all. SSH is the new standard.
0
 
nabeel92Author Commented:
Ok, thanks for the info.

In the picture I cant see an ethernet port where I can connect it to the switch and assign it a public I.P. There is serial port but no ethernet port ? Does it mean it has to be accessed via the modem always connected to its serial port to access it ?
0
 
kaciubaCommented:
Good point. What type of access server do you actually have? These are old models. Or are you looking to purchase?
0
 
kaciubaCommented:
Or an alternative is to just get the ASYNC module and hook it in to one of your current routers and designate that device as the jump host. Check out ebay below...

http://shop.ebay.com/i.html?_kw=cisco%20async&_fcid=1&_localstpos=80027&_sc=1&_sop=15&_sticky=1&_stpos=80027&gbr=1

There is an 8 port for 69.95. dont forget your spider cable.

0
 
nabeel92Author Commented:
I'm looking to purchase.
Actually my reseller sent me a quote & it looks like it comes with an ethernet port

Item               Description                                                                 Quantity       Unit Price   Amount

CISCO2511             Ethernet, Dual Serial, 16-Asy nc Router                   1             $ 425.00   $ 425.00
NET-BRA-2500       RMB f or Cisco -2500 Series                                               1             $ 0.00        $ 0.00
CAB-OCTAL-ASYN 6FT 8 Lead Octal Cable (68 pin to 8 Male RJ-45s)    2             $ 0.00        $ 0.00
AUI-10 TRANS (N) AUI-10 BaseT Transceiv er                                            1             $ 0.00        $ 0.00
0
 
nabeel92Author Commented:
But in order for me to designate that router as an access server by using a sync module, it needs to sit outside the firewall (or atleast be independent of the existing network) coz then whats the point if its sitting itself inside the network .. in case of an outage, ill still be running to the colo then ...
0
 
kaciubaCommented:
Thats not a bad price for an all inclusive access server.

Yes if you were going to designate a router you may have to adjust your topology. Im not sure of all the particulars of the situation in regards to what outages you are protecting yourself from or what resources you have available in the colo. Based on everything you know now what option sounds best to you? You are the expert after all.
0
 
nabeel92Author Commented:
Am protecting myself from the fact that if anything in the colo goes down (firewall, router, power, etc) , i still have console access to the networking devices. End result, I can troubleshoot from home. I can put in the security settings to ensure only my public I.P has access to it. In the end, I see a topology like this

                        Access Server
                                  |
Internet Lnk 1<---> Switch 1 <----> PIX 1 <---->  Core Routers    <----> IP WAN <------> Branch Sites
                                                           |                        |
                                                DMZ Switches     LAN Switches
0
 
kaciubaCommented:
The problem with the 2500 range of routers is they are old and no longer supported. Latest IOS revision is 12.2! Really old. It may have exploitable security flaws in the IOS you can't do anything about.

Its a tough call dude it really is. Putting a public IP on this access server which can console to all your devices just wouldn't get my business approval. Not only that but it looks like you can also hit the branch sites from this location.

Personally I wouldn't do it without a VPN and just deal with the rare downtime as it happens. If you have a firewall/router at home you should be able to setup a point to point VPN between yourself and the PIX no problem.
0
 
nabeel92Author Commented:
Hmmm..Ok

Yes, VPN would have been the best solution but i dont have any networking appliance at home. Just have a laptop.

Between, i was having a chat with my colleague where he mentioned there are some other brands of access server that might work differently and may not pose as great of a security threat as this one would in such topology ? We both aren't really sure either so thought I'd ask you. As per my understanding, they all are supposed to work the same regardless of the brand. Or is there really any subtle difference ?
0
 
kaciubaCommented:
hmm...I am not aware of any other brands of access server so couldn't really comment on any.

Good luck.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now