Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2337
Views
10
Helpful
11
Replies

disabling telnet access

nawas
Level 4
Level 4

‎08-17-2007 11:10 AM - last edited on ‎03-25-2019 05:24 PM by Community Manager

I have disabled telnet access to my Cisco2948 and Cisco5609 (runing CATOS) but im still able to telnet, am i missing anything? here is my config

set ip permit enable ssh

set ip permit enable snmp

set ip permit 10.0.0.0 255.0.0.0 ssh

set ip permit 10.0.0.0 255.0.0.0 snmp

sh ip permit

Telnet permit list disabled.

Ssh permit list enabled.

Snmp permit list enabled.

Permit List Mask Access-Type

---------------- ---------------- -------------

10.0.0.0 255.0.0.0 ssh snmp

Labels:
0 Helpful
11 Replies 11

Premdeep Banga
Level 7
Level 7

‎08-17-2007 12:44 PM

If you have already tried,

set ip permit disable telnet

Then something seems to be not correct.

Can you share sh ver?

Regards,

Prem

0 Helpful

nawas
Level 4
Level 4
In response to Premdeep Banga

‎08-17-2007 12:52 PM

Yes I did "set ip permit disable telnet " that's why it shows "telnet disabled" in show ip permit. Here is the show ver

From 6509:---------

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C6506 Software, Version NmpSW: 8.5(2)

Copyright (c) 1995-2005 by Cisco Systems

NMP S/W compiled on Dec 6 2005, 21:05:19

System Bootstrap Version: 7.7(1)

System Web Interface Version: Engine Version: 5.3.4 ADP Device: Cat6000 ADP Version: 8.0 ADK: 49

System Boot Image File is 'bootflash:cat6000-sup720cvk9.8-5-2.bin'

System Configuration register is 0x10f

From 4006:----

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C4006 Software, Version NmpSW: 8.1(2)

Copyright (c) 1995-2003 by Cisco Systems, Inc.

From 2948:-

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C2948 Software, Version NmpSW: 8.4(9)GLX

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to nawas

‎08-17-2007 04:01 PM

well I was not able to find anything on these versions to be specific. I wasn?t able to find anything wrong though, the way you have it setup. Until someone else can point us out.

But if you want you can get this thing to be investigated by TAC.

Regards,

Prem

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to Premdeep Banga

‎08-18-2007 04:56 AM

Hi Nawas,

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

set ip permit telnet

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Hope that helps !

Regards,

~JG

Premdeep Banga
Level 7
Level 7
In response to Jagdeep Gambhir

‎08-19-2007 04:14 AM

JG is right,

unconventional, but this is how it works!

@JG : Great work TSing ;)

Regards,

Prem

0 Helpful

nawas
Level 4
Level 4
In response to Jagdeep Gambhir

‎08-20-2007 05:51 AM

This is exactly I have configured my devices but still have no luck. To note that I had telnet enabled at some point now I want to disable telnet. I even tried ripping the whole permit list configureation and disabling permit list and enabling it but still no luck. Guess I will have to open a TAC case.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to nawas

‎08-20-2007 01:05 PM

Hey Nawas,

Please mark this thread resolved , so other can benefit from it ;-)

Regards,

~JG

0 Helpful

pdquan001
Level 1
Level 1
In response to nawas

‎08-24-2007 07:18 AM

Have you opened a TAC case? What is the resolution if you don't mind to share?

Thanks,

pq

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to pdquan001

‎08-24-2007 07:55 AM

Pq,

That issue has been fixed. Here is the solution.

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

set ip permit telnet

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Regards,

~JG

pdquan001
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-24-2007 08:12 AM

Thanks JG.

But the problem I have is that when IT Security people perform the network scan, it still shows that telnet service is enable. In another word, port 23 is still open. Is there a way to shutdown the telnet service totally?

pq

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to pdquan001

‎08-24-2007 08:17 AM

Pq,

Well this is due to CAT OS architecture. It will show that telnet port is open but no one will be able to telnet until you define ip permit list for telnet.

If no ip permit list is there, telnet is not possible.

Regards,

~JG

0 Helpful
Customers Also Viewed These Support Documents