cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1008
Views
0
Helpful
4
Replies

how can i setting Access telnet through ACL control.

supermanwwc
Level 1
Level 1

Hello,there may be some problems with Access telnet through ACL control.

1.TIMEWAIT (Are these TCP connections an attack connection  ) ?

 

wan-4M#sh tcp brie
TCB Local Address Foreign Address (state)
625E3370 124.65.231.142.23 201-92-164-106.d.49919 TIMEWAIT
631CDB84 124.65.231.142.23 201-92-164-106.d.49942 TIMEWAIT
625E382C 124.65.231.142.23 201-92-164-106.d.49936 TIMEWAIT
631B72FC 124.65.231.142.23 201-92-164-106.d.49927 TIMEWAIT
62F71E60 124.65.231.142.23 201-92-164-106.d.49949 TIMEWAIT
62F7F558 124.65.231.142.23 201-92-164-106.d.49969 TIMEWAIT
631BE7E8 124.65.231.142.23 201-92-164-106.d.49976 TIMEWAIT
625E474C 124.65.231.142.23 201-92-164-106.d.49980 TIMEWAIT
625E6B1C 124.65.231.142.23 201-92-164-106.d.49962 TIMEWAIT
631D13E8 125.35.20.129.23 218.247.232.86.7728 ESTAB
631B77B8 124.65.231.142.23 201-92-164-106.d.49954 TIMEWAIT
631B7C74 124.65.231.142.23 201-92-164-106.d.49967 TIMEWAIT
625E21C0 124.65.231.142.23 201-92-164-106.d.49987 ESTAB

 

2.What's this address?

  vty 196 idle 00:00:00 37.148.71.90       What's this address)

   vty 197 idle 00:00:00 179-111-131-117.dsl.telesp.net.br     (What's this address)

 

wan-4M#who
Line User Host(s) Idle Location
* vty 194 idle 00:00:00 218.247.232.86  (the real address
vty 196 idle 00:00:00 37.148.71.90       What's this address)
vty 197 idle 00:00:00
179-111-131-117.dsl.telesp.net.br     (What's this address)
vty 198 idle 00:00:00
201-92-164-106.dsl.telesp.net.br         What's this address)

 

interface FastEthernet0/0
ip address 124.65.231.142 255.255.255.252
ip accounting output-packets
description outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 125.35.20.129 255.255.255.192
ip accounting output-packets
description inside
duplex auto

 

line vty 0 0

exec-tomeout 0 0 

login

transport input telnet

 

I want to limit telnet user.

For example,only ip add 218.247.232.0/27 enable to telnet 125.35.20.129.

what can i do ?

 

Please get the detailed config in the attached file.

 

1 Accepted Solution

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

People are trying to log into your router remotely.  I would do this:

 

access-list 2 remark Where management can be done from.
access-list 2 permit 218.247.232.0 0.0.0.31

 

line vty 0 4
 access-class 2 in
 transport input telnet ssh
 transport output telnet ssh

 exec-timeout 5

View solution in original post

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

People are trying to log into your router remotely.  I would do this:

 

access-list 2 remark Where management can be done from.
access-list 2 permit 218.247.232.0 0.0.0.31

 

line vty 0 4
 access-class 2 in
 transport input telnet ssh
 transport output telnet ssh

 exec-timeout 5

thank you for you help.

There are some questions ,what does mean "remark Where management can be done from."

where can i search logs about  "remark Where management can be done from.".

 

thanks again.

Philip was too kind - turn off telnet COMPLETELY! It is insecure and has no place on an Internet-facing device.

 

The remark line is a note for yourself. There is no log about it.

 

You should have some basic understanding of your network - that is, what addresses are allowed to log into your router. All others are forbidden. The access-list, when applied to the vty lines using the access-class command, does that.

thank you Marvin

Review Cisco Networking for a $25 gift card