cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


34753
Views
0
Helpful
12
Replies
Beginner

Disable Telnet on Outside Interface

Hello, I am using a Cisco 2801 Router and currently have Telnet enabled on all interfaces.  How do I change that so it is enabled from all inside networks, but not on the outside interface?  Thanks!

Here's what I can find in the configs regarding Telnet:

line con 0

line aux 0

line vty 0 4

privilege level 15

password XXXXXXX

transport input telnet ssh

Everyone's tags (4)
12 REPLIES 12
Frequent Contributor

Disable Telnet on Outside Interface

Use access-list + access-class under line vty to limit the subnets allowed to telnet/ssh the router.

Please look in the example mention in the following link ( PDF) :-

https://learningnetwork.cisco.com/.../8%20steps%20to%20secure%20and%20harden%20Cisco%20Router.pdf

Manish

Beginner

Disable Telnet on Outside Interface

Manish, thanks for your response.  However, that link was broken and I am unable to locate that document.

Frequent Contributor

Disable Telnet on Outside Interface

Beginner

Disable Telnet on Outside Interface

Manish, thanks again.  I applied the configs as instructed (below), but can still telnet to the public IP from outside the network.  Is there a command that is allowing telnet to the outside interface that supercedes these configs?

ip access-list extended TerminalAccess
permit tcp host 172.16.0.0 any eq telnet
permit tcp any any eq 22
deny tcp any any

line vty 0 4
access-class TerminalAccess in

Frequent Contributor

Disable Telnet on Outside Interface

Ok, That didn't work for as you were using Named ACL , when applying access control to a Line  , you are required to use a numbered ACL ( Kinda dumb but it is what it is ;-) ).

So, make it a stardard acl using no and then apply it to the Line VTY.

Reference :-

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfip.html#wp1001490

Manish

Beginner

Disable Telnet on Outside Interface

What would this standard ACL config look like?

Frequent Contributor

Disable Telnet on Outside Interface

you can use :-

access-list 12 permit host 172.16.x.x ( one host address in that subnet )

access-list 12 permit host X.X.X.X  ( any other ip that you need whitelisted )

access-list 12 permit 172.16.0.0 0.0.255.255 ( complete 172.16.0.0/16 subnet access ok )

Line vty 0 4

access-class 12 in

Keep in mind that This will limit connections to the Line  be it for SSH or Telnet.

I have never used Extended ACL in access-class and donot have any equipment to test it either. So, if you want to use your above extendent acl , you can try by replacing name "TerminalAccess" with a no. like 199 or 200. But be sure that you have console access to the device in case you lock your self out.

Manish

Highlighted
Rising star

Disable Telnet on Outside Interface

"transport input" command will impact all interface. For example, if you use "transport input ssh", user can only access this router via SSH. Per your scenario, you can just configure a interface ACL on outside interface to block the telnet session. HTH.

Beginner

Disable Telnet on Outside Interface

Yudong,

Thanks for your response.  What would this ACL command look like?

Rising star

Disable Telnet on Outside Interface

It will depend on how you would like to control telnet.

If you don't want any telnet session come into outside interface (including telnet session passing throught this box), you can configure like the below

ip access-list ex no_telnet

  deny tcp any any eq telnet

  permit

If you don't want any one to telnet to outside interface IP directly, you can configure like the folowing

ip access-list ex no_telnet

  deny tcp any host eq telnet

  permit

Then you can apply this ACL under the outside interface in inbound direction.

Beginner

Disable Telnet on Outside Interface

I do not want telnet allowed to the outside interface at all, but we do have email services, etc. allowed through NAT commands.  Would I need to permit those in this new "no_telnet" access list, or will those still be allowed with the existing configs?

Participant

Disable Telnet on Outside Interface

No, there is no need for such access-list, because you deny telnet only on vty lines, that are used only for remote management, not for connectivity and routing.