topic Disable Telnet on Outside Interface in Network Security

Disable Telnet on Outside Interface

pccareoncall — Mon, 11 Mar 2019 20:45:40 GMT

Hello, I am using a Cisco 2801 Router and currently have Telnet enabled on all interfaces. How do I change that so it is enabled from all inside networks, but not on the outside interface? Thanks!

Here's what I can find in the configs regarding Telnet:

line con 0

line aux 0

line vty 0 4

privilege level 15

password XXXXXXX

transport input telnet ssh

Disable Telnet on Outside Interface

manish arora — Wed, 15 Jun 2011 18:33:25 GMT

Use access-list + access-class under line vty to limit the subnets allowed to telnet/ssh the router.

Please look in the example mention in the following link ( PDF) :-

https://learningnetwork.cisco.com/.../8%20steps%20to%20secure%20and%20harden%20Cisco%20Router.pdf

Manish

Disable Telnet on Outside Interface

Yudong Wu — Wed, 15 Jun 2011 18:34:22 GMT

"transport input" command will impact all interface. For example, if you use "transport input ssh", user can only access this router via SSH. Per your scenario, you can just configure a interface ACL on outside interface to block the telnet session. HTH.

Disable Telnet on Outside Interface

pccareoncall — Wed, 15 Jun 2011 18:35:58 GMT

Manish, thanks for your response. However, that link was broken and I am unable to locate that document.

Disable Telnet on Outside Interface

pccareoncall — Wed, 15 Jun 2011 18:37:01 GMT

Yudong,

Thanks for your response. What would this ACL command look like?

Disable Telnet on Outside Interface

manish arora — Wed, 15 Jun 2011 19:11:05 GMT

try this :-

http://blog.ioshints.info/2006/12/vty-access-class-accepts-extended-and.html

Manish

Disable Telnet on Outside Interface

Yudong Wu — Wed, 15 Jun 2011 19:11:08 GMT

It will depend on how you would like to control telnet.

If you don't want any telnet session come into outside interface (including telnet session passing throught this box), you can configure like the below

ip access-list ex no_telnet

deny tcp any any eq telnet

permit

If you don't want any one to telnet to outside interface IP directly, you can configure like the folowing

ip access-list ex no_telnet

deny tcp any host eq telnet

permit

Then you can apply this ACL under the outside interface in inbound direction.

Disable Telnet on Outside Interface

pccareoncall — Wed, 15 Jun 2011 20:29:43 GMT

Manish, thanks again. I applied the configs as instructed (below), but can still telnet to the public IP from outside the network. Is there a command that is allowing telnet to the outside interface that supercedes these configs?

ip access-list extended TerminalAccess
permit tcp host 172.16.0.0 any eq telnet
permit tcp any any eq 22
deny tcp any any

line vty 0 4
access-class TerminalAccess in

Disable Telnet on Outside Interface

manish arora — Wed, 15 Jun 2011 20:44:27 GMT

Ok, That didn't work for as you were using Named ACL , when applying access control to a Line , you are required to use a numbered ACL ( Kinda dumb but it is what it is 😉 ).

So, make it a stardard acl using no and then apply it to the Line VTY.

Reference :-

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfip.html#wp1001490

Manish

Disable Telnet on Outside Interface

pccareoncall — Wed, 15 Jun 2011 20:45:58 GMT

I do not want telnet allowed to the outside interface at all, but we do have email services, etc. allowed through NAT commands. Would I need to permit those in this new "no_telnet" access list, or will those still be allowed with the existing configs?

Disable Telnet on Outside Interface

pccareoncall — Wed, 15 Jun 2011 21:07:47 GMT

What would this standard ACL config look like?

Disable Telnet on Outside Interface

manish arora — Wed, 15 Jun 2011 21:30:37 GMT

you can use :-

access-list 12 permit host 172.16.x.x ( one host address in that subnet )

access-list 12 permit host X.X.X.X ( any other ip that you need whitelisted )

access-list 12 permit 172.16.0.0 0.0.255.255 ( complete 172.16.0.0/16 subnet access ok )

Line vty 0 4

access-class 12 in

Keep in mind that This will limit connections to the Line be it for SSH or Telnet.

I have never used Extended ACL in access-class and donot have any equipment to test it either. So, if you want to use your above extendent acl , you can try by replacing name "TerminalAccess" with a no. like 199 or 200. But be sure that you have console access to the device in case you lock your self out.

Manish

Disable Telnet on Outside Interface

fgasimzade — Thu, 16 Jun 2011 05:38:23 GMT

No, there is no need for such access-list, because you deny telnet only on vty lines, that are used only for remote management, not for connectivity and routing.