In my previous employment, I was spoiled for remote access solutions. Back in the day I implemented Cisco AS5800 dialin boxes, then Cisco VPN3000 concentrators, then replaced those with ASAs when the 3000s went EoL. Imagine my dismay when my new employer had no remote access and made extensive use of port forwarding, even for some critical infrastructure. I have mostly rectified that situation now with a pair of small ASAs, but I ran into another challenge for remote access to my home when building my new CCIE home rack.
For various reasons, my host of OS of choice was Windows 7 (settle down, all you Linux and Mac fans). I wanted to be able to connect directly to my switches and simulated routers without using RDP or something similar, or doing port forwarding for every open port. I have an eBay-sourced 5505 ASA, but since I use that unit for testing and training, I didn’t want to use it “in production” in my home office. So what to do?
I came up with a simple solution which had a significant benefit in that it was free, and only required a single port-forward. Everyone is familiar with PuTTY as a console and SSH client, but the tunneling functionality that is included was exactly what I needed. At the server end, I installed Bitvise’s WinSSHD, which is free for personal use. For the purposes of this demonstration, I used the following layout.
Next, I installed WinSSHD. I basically accespted the defaults, authenticating using the local Windows accounts. The only change you may want to make is to ensure the Windows firewall is opened for the appropriate ports, as in the following screenshot.
OK, now you have your SSH server and a port-forward, and you can check in the WinSSHD sessions tab that you can make a connection.
That is about all you need to do on the server side. Next, we have to configure PuTTY. What we do here is assign a port on the local host that PuTTY will listen to and then pass down the tunnel to your remote hosts. So, my remote breakout switch has the IP address of 172.16.1.1, and so to SSH to that host over the tunnel, I add a local port (in this case 2222) and point that at 172.16.1.1:2222. I also added in a port forward for Windows RDP to the PC hosting SSHD – localhost:3399 to 192.168.1.95:3389. A tip here: I tried initially using localhost:3390, but that fails due to some Microsoft reason I don’t care to investigate, so don’t use 3390.
Save your session and connect. Once logged in to the SSH session, fire up another PuTTY instance and SSH to localhost:2222, and you are connected to the internal switch over the SSH tunnel.
Once the session is established, you can verify that there is a client-forwarding session in the WinSSHD control panel.
While we’re at it, let’s RDP to the host over the tunnel using localhost:3399.
By no means have I gone through all of the functions available using PuTTY and WinSSHD, and neither would I advocate using this in a production environment; it is not nearly as fully featured as a full-on VPN client-server environment, and you need to configure things on an app-by-app basis. However, for a quick implementation that is free, relatively secure and means you only need to add in one port forward on your router, I would certainly give this a thumbs up. Now, instead of a bloated screen-based remote session to connect to my switches and simulated routers, all I need is to set up port forwarding for all the SSH sessions I need.
I then configured SSH Autotunnel to connect to my host with the same port forwardings.
And using ConnectBot for SSH and the 2X Client for RDP, I can also access my services remotely using my tablet.