Configuration Example, Security

Tunneling sessions via Plink

René Jorissen on August 25, 2010 1 Comment • Tags: #plink #ssh #tunnel

Plink stands for PuTTY Link and is a command-line connection tool similar to Unix ssh. As a networking consultant I often need to support customers from remote locations. Access to their networking equipment is mostly blocked from unknown locations. Sometimes it is allowed to directly access networking equipment, like a company firewall, from a known location. An example of such a known location could be the public IP space of my companies headquarters.

But how can I support somebody if I am not at my companies headquarters? Most Unix boys already know the answer to that questions…. SSH (Secure SHell) tunneling.

To create a SSH tunnel you need a SSH server and a SSH client. Most Unix servers can be configured as SSH servers by installing OpenSSH. There are also a lot of SSH server applications for the Windows platform. I configure and place the SSH server at my  headquarters. Since the SSH server uses my companies “allowed” public IP space, the server could connect directly, if allowed, to the customers equipment.

By using the SSH tunnel I use my companies SSH server as some kind of man-in-the-middle server. I connect to my companies SSH server via a SSH remote connection. I configure the connection to forward certain localhost connections from my laptop through the SSH tunnel and let the SSH server setup a new connection to the final destination by forwarding the traffic.

An example would be accessing a Cisco ASA firewall via ASDM from my laptop. At first I create the SSH tunnel to my companies SSH server. I “tell” the connection to forward traffic to my localhost on port TCP/1234 to the SSH server and the SSH server should forward the connection to the customers firewall on port TCP/443. That means that my laptops ASDM application uses my companies public IP space to access the customers firewall. Since my companies public IP space is allowed to access the customers firewall, I can use ASDM on my laptop. Even if I am at a completely different location.

I use Windows 7 as operating system on my laptop, so for SSH tunneling I have to use a third-party application. I always use Plink, which I copy to the C:\Windows\system32 directory, so I can run it from the command-line. Plink can be configured with different parameters, like shown below:

PuTTY Link: command-line connection utility
Release 0.60
Usage: plink [options] [user@]host [command]
(“host” can also be a PuTTY saved session name)
Options:
-V        print version information and exit
-pgpfp    print PGP key fingerprints and exit
-v        show verbose messages
-load sessname  Load settings from saved session
-ssh -telnet -rlogin -raw
force use of a particular protocol
-P port   connect to specified port
-l user   connect with specified username
-batch    disable all interactive prompts
The following options only apply to SSH connections:
-pw passw login with specified password
-D [listen-IP:]listen-port
Dynamic SOCKS-based port forwarding
-L [listen-IP:]listen-port:host:port
Forward local port to remote address
-R [listen-IP:]listen-port:host:port
Forward remote port to local address
-X -x     enable / disable X11 forwarding
-A -a     enable / disable agent forwarding
-t -T     enable / disable pty allocation
-1 -2     force use of particular protocol version
-4 -6     force use of IPv4 or IPv6
-C        enable compression
-i key    private key file for authentication
-noagent  disable use of Pageant
-agent    enable use of Pageant
-m file   read remote command(s) from file
-s        remote command is an SSH subsystem (SSH-2 only)
-N        don’t start a shell/command (SSH-2 only)
-nc host:port
open tunnel in place of session (SSH-2 only)

The best way to use Plink is by creating a batch file, which can be run from the command-line. My batch file looks like this:

@echo off
plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:1234:80.101.152.38:443 <username>@<IP SSH server>

The command configures a SSH connection to <IP SSH server> using username <username>. All connections from my laptop to 127.0.0.1 on TCP/1234 are forwarded by the SSH server to the remote IP address 80.101.152.38 on TCP/443. You can add more statements to the batch file, by just adding another –L command, like shown below.

@echo off
plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:1234:80.101.152.38:443 -L 127.0.0.1:1235:1.1.1.1:22 <username>@<IP SSH server>

After executing the batch file, you will receive a login prompt to enter the user credentials for the SSH server. After entering the credentials you are ready to go. Just start ASDM or another application and connect to the localhost on port TCP/443 or TCP/22. The traffic will be forwarded through the SSH tunnel and from the SSH server to the final destination.

Of course you need to make some preparations to use this solution, like installing the SSH server and publishing the SSH server to the internet. You also need to have SSH access on the remote location, because else you cannot create the SSH tunnel.

Since you are publishing a server to the internet, it is important to “strip” that server. Make sure there are no vulnerable or unnecessary services running on the server and always patch the server to the appropriate level. It is also recommended to use some kind of two-way authentication, like one-time passwords. That way you know you have a secure environment to access the assets at the final destination.

In the end you will have a secure environment with which you can support your customers or access other resources on the internet or on your internal network.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. BestCarson says:

    I see you don’t monetize booches.nl, don’t waste your traffic, you can earn additional cash every month with new monetization method.
    This is the best adsense alternative for any type of website (they approve all sites), for more details simply search in gooogle:
    murgrabia’s tools

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.