Using SSH tunneling on Juniper devices with Junos
Considering that the standard ssh daemon is used in the Junos operating system, I dared to assume that the organization of ssh tunnels is implemented in it. And although the documentation for such an application of switches, routers or firewalls could not find any mention, it works. Moreover, ssh tunnels are enabled by default.
Let me give you an example that allows you to demonstrate where it can be useful.
Suppose, somewhere on a remote site, a new 3COM 3C16475CS switch has been connected to the Juniper EX series switchboard under your control. And we have a task to get control over the switch.
From the documentation of the 3C16475CS, it was found out that when the device was first turned on, the “Automatic IP Configuration” procedure was used to assign an ip address, during which the switch assigned an ip address to itself from the 169.254.xy / 16 network. Where x and y are the last 2 bytes of the MAC address of the device. Since the routing setting in the device does not occur (really, how can he know who in this network can be a router to other networks?), You can connect to the assigned ip only if you have an ip address in the same network.
')
For clarity, here is an explanatory diagram.
The first thing we need to do is to add an additional ip address belonging to the 169.254.0.0/16 network as the second address on the selected Juniper EX 2200 L3 switch interface.
Second, make sure that the selected L3 interface and the port to which the 3COM 3C16475CS switch is connected belong to the same VLAN.
Here are excerpts from the configuration relating to the first two points:
Third, in the administrator's workplace, we launch an ssh tunnel.
Fourth, refer to the URL http://192.168.88.12:2000// to the control interface of the switch 3COM.
PS: Since we are considering 3COM switches, I’ll note that the documentation for them can be found on the HP website using the so-called " 3Com product conversion tool ".
PS1: For this particular 3C16475CS switch model, there is one feature that spoils the simplicity of the solution. The point is that the switch, after authenticating the user, changes the location for the subsequent work of the web interface. At the same time, it contains the ip address assigned by the switch. The location is changed in the “doCookie ()” function of the “sysIpAddress” variable. This is corrected as follows. After loading the user authentication window, but prior to authentication, you can use the developer's WEB tools (for example, in IE9. Alt-X service, F12 Developer Tools, Script. Find the specified JavaScript function, variable). To change a variable, assign it an ip address that you use to access the ssh tunnel by a web browser.
Let me give you an example that allows you to demonstrate where it can be useful.
Suppose, somewhere on a remote site, a new 3COM 3C16475CS switch has been connected to the Juniper EX series switchboard under your control. And we have a task to get control over the switch.
From the documentation of the 3C16475CS, it was found out that when the device was first turned on, the “Automatic IP Configuration” procedure was used to assign an ip address, during which the switch assigned an ip address to itself from the 169.254.xy / 16 network. Where x and y are the last 2 bytes of the MAC address of the device. Since the routing setting in the device does not occur (really, how can he know who in this network can be a router to other networks?), You can connect to the assigned ip only if you have an ip address in the same network.
')
For clarity, here is an explanatory diagram.
The first thing we need to do is to add an additional ip address belonging to the 169.254.0.0/16 network as the second address on the selected Juniper EX 2200 L3 switch interface.
Second, make sure that the selected L3 interface and the port to which the 3COM 3C16475CS switch is connected belong to the same VLAN.
Here are excerpts from the configuration relating to the first two points:
adm @ ex2200> show configuration interfaces vlan
unit 0 {
family inet {
address 192.168.77.8/24 {
primary;
}
address 169.254.20.20/16;
}
adm @ ex2200> show configuration vlans
default {
vlan-id 1;
interface {
ge-0/0 / 5.0;
}
l3-interface vlan.0;
}
Third, in the administrator's workplace, we launch an ssh tunnel.
> ssh -L 192.168.88.12:2000:169.254.1.2:80 192.168.77.8
Fourth, refer to the URL http://192.168.88.12:2000// to the control interface of the switch 3COM.
PS: Since we are considering 3COM switches, I’ll note that the documentation for them can be found on the HP website using the so-called " 3Com product conversion tool ".
PS1: For this particular 3C16475CS switch model, there is one feature that spoils the simplicity of the solution. The point is that the switch, after authenticating the user, changes the location for the subsequent work of the web interface. At the same time, it contains the ip address assigned by the switch. The location is changed in the “doCookie ()” function of the “sysIpAddress” variable. This is corrected as follows. After loading the user authentication window, but prior to authentication, you can use the developer's WEB tools (for example, in IE9. Alt-X service, F12 Developer Tools, Script. Find the specified JavaScript function, variable). To change a variable, assign it an ip address that you use to access the ssh tunnel by a web browser.
Source: https://habr.com/ru/post/135275/
All Articles