topic Re: disabling telnet access in Network Access Control

disabling telnet access

nawas — Tue, 26 Mar 2019 00:24:00 GMT

I have disabled telnet access to my Cisco2948 and Cisco5609 (runing CATOS) but im still able to telnet, am i missing anything? here is my config

set ip permit enable ssh

set ip permit enable snmp

set ip permit 10.0.0.0 255.0.0.0 ssh

set ip permit 10.0.0.0 255.0.0.0 snmp

sh ip permit

Telnet permit list disabled.

Ssh permit list enabled.

Snmp permit list enabled.

Permit List Mask Access-Type

---------------- ---------------- -------------

10.0.0.0 255.0.0.0 ssh snmp

Re: disabling telnet access

Premdeep Banga — Fri, 17 Aug 2007 19:44:49 GMT

If you have already tried,

set ip permit disable telnet

Then something seems to be not correct.

Can you share sh ver?

Regards,

Prem

Re: disabling telnet access

nawas — Fri, 17 Aug 2007 19:52:54 GMT

Yes I did "set ip permit disable telnet " that's why it shows "telnet disabled" in show ip permit. Here is the show ver

From 6509:---------

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C6506 Software, Version NmpSW: 8.5(2)

NMP S/W compiled on Dec 6 2005, 21:05:19

System Bootstrap Version: 7.7(1)

System Web Interface Version: Engine Version: 5.3.4 ADP Device: Cat6000 ADP Version: 8.0 ADK: 49

System Boot Image File is 'bootflash:cat6000-sup720cvk9.8-5-2.bin'

System Configuration register is 0x10f

From 4006:----

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C4006 Software, Version NmpSW: 8.1(2)

From 2948:-

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C2948 Software, Version NmpSW: 8.4(9)GLX

Re: disabling telnet access

Premdeep Banga — Fri, 17 Aug 2007 23:01:10 GMT

well I was not able to find anything on these versions to be specific. I wasn?t able to find anything wrong though, the way you have it setup. Until someone else can point us out.

But if you want you can get this thing to be investigated by TAC.

Regards,

Prem

Re: disabling telnet access

Jagdeep Gambhir — Sat, 18 Aug 2007 11:56:55 GMT

Hi Nawas,

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Hope that helps !

Regards,

~JG

Re: disabling telnet access

Premdeep Banga — Sun, 19 Aug 2007 11:14:18 GMT

JG is right,

unconventional, but this is how it works!

@JG : Great work TSing 😉

Regards,

Prem

Re: disabling telnet access

nawas — Mon, 20 Aug 2007 12:51:12 GMT

This is exactly I have configured my devices but still have no luck. To note that I had telnet enabled at some point now I want to disable telnet. I even tried ripping the whole permit list configureation and disabling permit list and enabling it but still no luck. Guess I will have to open a TAC case.

Re: disabling telnet access

Jagdeep Gambhir — Mon, 20 Aug 2007 20:05:49 GMT

Hey Nawas,

Please mark this thread resolved , so other can benefit from it 😉

Regards,

~JG

Re: disabling telnet access

pdquan001 — Fri, 24 Aug 2007 14:18:53 GMT

Have you opened a TAC case? What is the resolution if you don't mind to share?

Thanks,

Re: disabling telnet access

Jagdeep Gambhir — Fri, 24 Aug 2007 14:55:40 GMT

Pq,

That issue has been fixed. Here is the solution.

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Regards,

~JG

Re: disabling telnet access

pdquan001 — Fri, 24 Aug 2007 15:12:38 GMT

Thanks JG.

But the problem I have is that when IT Security people perform the network scan, it still shows that telnet service is enable. In another word, port 23 is still open. Is there a way to shutdown the telnet service totally?

Re: disabling telnet access

Jagdeep Gambhir — Fri, 24 Aug 2007 15:17:37 GMT

Pq,

Well this is due to CAT OS architecture. It will show that telnet port is open but no one will be able to telnet until you define ip permit list for telnet.

If no ip permit list is there, telnet is not possible.

Regards,

~JG