Disable Telnet on Outside Interface

pccareoncall · ‎06-15-2011

Hello, I am using a Cisco 2801 Router and currently have Telnet enabled on all interfaces. How do I change that so it is enabled from all inside networks, but not on the outside interface? Thanks!

Here's what I can find in the configs regarding Telnet:

line con 0

line aux 0

line vty 0 4

privilege level 15

password XXXXXXX

transport input telnet ssh

manish arora · ‎06-15-2011

Use access-list + access-class under line vty to limit the subnets allowed to telnet/ssh the router.

Please look in the example mention in the following link ( PDF) :-

https://learningnetwork.cisco.com/.../8%20steps%20to%20secure%20and%20harden%20Cisco%20Router.pdf

Manish

pccareoncall · ‎06-15-2011

Manish, thanks for your response. However, that link was broken and I am unable to locate that document.

manish arora · ‎06-15-2011

try this :-

http://blog.ioshints.info/2006/12/vty-access-class-accepts-extended-and.html

Manish

pccareoncall · ‎06-15-2011

Manish, thanks again. I applied the configs as instructed (below), but can still telnet to the public IP from outside the network. Is there a command that is allowing telnet to the outside interface that supercedes these configs?

ip access-list extended TerminalAccess
permit tcp host 172.16.0.0 any eq telnet
permit tcp any any eq 22
deny tcp any any

line vty 0 4
access-class TerminalAccess in

manish arora · ‎06-15-2011

Ok, That didn't work for as you were using Named ACL , when applying access control to a Line , you are required to use a numbered ACL ( Kinda dumb but it is what it is ;-) ).

So, make it a stardard acl using no and then apply it to the Line VTY.

Reference :-

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfip.html#wp1001490

Manish

pccareoncall · ‎06-15-2011

What would this standard ACL config look like?

manish arora · ‎06-15-2011

you can use :-

access-list 12 permit host 172.16.x.x ( one host address in that subnet )

access-list 12 permit host X.X.X.X ( any other ip that you need whitelisted )

access-list 12 permit 172.16.0.0 0.0.255.255 ( complete 172.16.0.0/16 subnet access ok )

Line vty 0 4

access-class 12 in

Keep in mind that This will limit connections to the Line be it for SSH or Telnet.

I have never used Extended ACL in access-class and donot have any equipment to test it either. So, if you want to use your above extendent acl , you can try by replacing name "TerminalAccess" with a no. like 199 or 200. But be sure that you have console access to the device in case you lock your self out.

Manish

Yudong Wu · ‎06-15-2011

"transport input" command will impact all interface. For example, if you use "transport input ssh", user can only access this router via SSH. Per your scenario, you can just configure a interface ACL on outside interface to block the telnet session. HTH.

pccareoncall · ‎06-15-2011

Yudong,

Thanks for your response. What would this ACL command look like?

Yudong Wu · ‎06-15-2011

It will depend on how you would like to control telnet.

If you don't want any telnet session come into outside interface (including telnet session passing throught this box), you can configure like the below

ip access-list ex no_telnet

deny tcp any any eq telnet

permit

If you don't want any one to telnet to outside interface IP directly, you can configure like the folowing

ip access-list ex no_telnet

deny tcp any host eq telnet

permit

Then you can apply this ACL under the outside interface in inbound direction.

pccareoncall · ‎06-15-2011

I do not want telnet allowed to the outside interface at all, but we do have email services, etc. allowed through NAT commands. Would I need to permit those in this new "no_telnet" access list, or will those still be allowed with the existing configs?

fgasimzade · ‎06-15-2011

No, there is no need for such access-list, because you deny telnet only on vty lines, that are used only for remote management, not for connectivity and routing.