| File: | 150_using_aux0_for_rem_unix_console.txt |
|---|
Contents
To use a cisco 25xx or 26xx standard router as a remote console access device do the following:
You will need:
- access to a 25xx or 26xx router (enable level)
- a straight (green) serial line cable
1) Telnet to the router and go to enable mode:
# telnet 10.10.40.2
Trying 10.10.40.2...
Connected to 10.10.40.2.
Escape character is '^]'.
User Access Verification
Password:
sfo2600-01>ena
Password:
sfo2600-01#
2) Now that you have (root) access to the router, look at the current running configuration:
sfo2600-01#sh conf
Using 1044 out of 29688 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sfo2600-01
!
enable secret 5 $1$wFmq$pq14zHDYXjt.qmM.nt92t.
enable password 7 0758711C0D1B181104
!
ip subnet-zero
no ip source-route
ip name-server 10.10.10.168
!
.
.
.
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
password 7 0940410E1806020653
login
!
end
3) We will be adding the ability to connect to the aux 0 device (ie the auxuilery console port).
Enter configuration mode, and type in the following configuration information:
sfo2600-01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
sfo2600-01(config)#line aux 0
sfo2600-01(config-line)# no exec
sfo2600-01(config-line)# exec-timeout 0 0
sfo2600-01(config-line)# disconnect-character 29
sfo2600-01(config-line)# login
sfo2600-01(config-line)# data-character-bits 7
sfo2600-01(config-line)# transport preferred telnet
sfo2600-01(config-line)# transport input telnet
sfo2600-01(config-line)# transport output telnet
sfo2600-01(config-line)# autohangup
sfo2600-01(config-line)# stopbits 1
sfo2600-01(config-line)# flowcontrol hardware
sfo2600-01(config-line)#^Z
sfo2600-01#write mem
Building configuration...
sfo2600-01#
4) At this point the line should be available for anyone to use.
This is not exactly what we are looking for so we will add password
authentication and an access list for connecting to the port.
First the access list, then the password:
sfo2600-01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
sfo2600-01(config)#access-list 1 permit 208.19.64.253 255.255.255.255
sfo2600-01(config)#access-list 1 deny any
sfo2600-01(config)#line aux 0
sfo2600-01(config-line)#access-class 1 in
sfo2600-01(config-line)#password (enter cleartext password here)
sfo2600-01(config-line)#^Z
sfo2600-01#write mem
Building configuration...
sfo2600-01#
5) To test the configuration, connect the console port on the sun box to the
aux 0 port on the back of the router. If there is nothing connected to the
aux 0 port, it will be possible to connect to it, but the port will need
resetting before it can be used (more on this later).
To determine the correct port to telnet to, issue the show line command and look for the aux 0 port:
sfo2600-01#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 1 0 0/0 -
65 AUX 9600/9600 - - - - - 2 0 0/0 -
* 66 VTY - - - - - 7 0 0/0 -
67 VTY - - - - - 0 0 0/0 -
68 VTY - - - - - 0 0 0/0 -
69 VTY - - - - - 0 0 0/0 -
70 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
1-64
sfo2600-01#
Here we see the tty for the aux port is 65. On a 2511 router you may
expect 01. The port that you telnet to is 2000 + the number above. In this
case you would telnet to port 2065 and present the password set in section 4:
gilgamesh:/home/scampbell> telnet 10.10.40.2 2065
Trying 10.10.40.2...
Connected to 10.10.40.2.
Escape character is '^]'.
User Access Verification
Password:
Password OK
rom-firewall console login: root
Password:
Last login: Sat Feb 26 14:43:38 from sfo-firewall
Feb 28 14:33:37 rom-firewall login: ROOT LOGIN /dev/console
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
YOU ARE SUPERUSER!
rom-firewall:console>
Any IP number on the router can be telneted to - it is the port that is important.
6) Problems -
There are two major problems that you may face after the console connect works.
The first involves the aux port locking up. The second involves changing the
access control list for port access.
If you telnet to the port and get a connection refused error message,
then there is either a problem with the port or another user currently with a
console session. If you know that there is nobody using the console, try the
following. Log in to the router and go to enable mode. Then look to see what
'lines' are in use:
# telnet 10.10.40.2
Trying 10.10.40.2...
Connected to 10.10.40.2.
Escape character is '^]'.
User Access Verification
Password:
sfo2600-01>ena
Password:
sfo2600-01#
sfo2600-01#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 0 0 0/0 -
* 65 AUX 9600/9600 - - - - - 1 0 0/0 -
* 66 VTY - - - - - 6 0 0/0 -
67 VTY - - - - - 0 0 0/0 -
68 VTY - - - - - 0 0 0/0 -
69 VTY - - - - - 0 0 0/0 -
70 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
1-64
sfo2600-01#
Note here that the 'AUX' port has a '*' next to it. This means that
the port is in use. To clear it, issue the clear line aux 0 command:
sfo2600-01#clear line aux 0
[confirm]y [OK]
sfo2600-01#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 1 0 0/0 -
65 AUX 9600/9600 - - - - - 2 0 0/0 -
* 66 VTY - - - - - 7 0 0/0 -
67 VTY - - - - - 0 0 0/0 -
68 VTY - - - - - 0 0 0/0 -
69 VTY - - - - - 0 0 0/0 -
70 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
1-64
sfo2600-01#
Note that the AUX line is not currently in use.
To change the access list, you first remove the access list from the
interface/line, replace the access list, then put the access list back on to
the incoming connections.