03-15-2002 07:35 AM - edited 03-08-2019 10:04 PM
I am trying to secure telnet access to my as5300 and I have applied an acl on the ethernet port only allowing access to specific ip addresses for telnet. I have found that when I am dialed in I can telnet to the as5300 regardless of the IP address that I have I have tried to apply access-class statements to the VTY line and also the dial lines 1 through 96 and I can still use telnet any suggestions
03-19-2002 09:18 PM
We need to take a look on your config..Pl. post it here..Thx..Tejal
03-20-2002 05:36 AM
nexas5300-1>en
Password:
nexas5300-1#wr t
Building configuration...
Current configuration : 4470 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname nexas5300-1
!
no logging buffered
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default group radius enable
aaa authentication ppp default group radius
aaa accounting network default start-stop group radius
enable password
!
spe 1/0 1/7
firmware location flash:mica-modem-pw.2.7.2.0.bin
!
!
resource-pool disable
!
call rsvp-sync
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
modemcap entry 2720:TPL=FD=&F\:AA=S0=1\:MSC=AT&FS29=4S30=2400S31=30
modemcap entry nextest:TPL=FD=&F\:AA=S0=1\:MSC=S29=4S30=2400S31=300S39=11S32=3
!
!
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
ds0-group 0 timeslots 1-24 type e&m-fgb
cas-custom 0
!
controller T1 1
shutdown
framing esf
clock source line secondary 1
linecode b8zs
!
controller T1 2
shutdown
framing esf
clock source line secondary 2
linecode b8zs
!
controller T1 3
shutdown
framing esf
clock source line secondary 3
linecode b8zs
!
controller T1 4
shutdown
framing esf
clock source line secondary 4
linecode b8zs
!
controller T1 5
shutdown
framing esf
clock source line secondary 5
linecode b8zs
!
controller T1 6
shutdown
framing esf
clock source line secondary 6
linecode b8zs
!
controller T1 7
shutdown
framing esf
clock source line secondary 7
linecode b8zs
!
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface FastEthernet0
ip address 172.16.9.30 255.255.255.0
ip access-group 105 in
no ip mroute-cache
duplex auto
speed auto
!
interface Group-Async1
ip unnumbered FastEthernet0
encapsulation ppp
ip tcp header-compression
no ip mroute-cache
async mode interactive
peer default ip address dhcp
ppp authentication pap
group-range 1 96
!
interface Dialer1
ip unnumbered FastEthernet0
encapsulation ppp
dialer pool 10
ppp authentication pap
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.9.1
ip route 172.16.2.0 255.255.255.0 FastEthernet0
no ip http server
!
access-list 105 permit tcp host 172.16.9.2 host 172.16.9.30 eq telnet
access-list 105 permit tcp host 172.16.9.3 host 172.16.9.30 eq telnet
access-list 105 permit tcp host 172.16.9.119 host 172.16.9.30 eq telnet
access-list 105 permit udp host 172.16.9.119 host 172.16.9.30 eq snmp
access-list 105 permit udp host 172.16.2.19 host 172.16.9.30 eq snmp
access-list 105 deny udp any host 172.16.9.30 eq snmp
access-list 105 deny tcp any host 172.16.9.30 eq telnet
access-list 105 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps calltracker
snmp-server enable traps modem-health
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps aaa_server
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps dlsw
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps voice poor-qov
snmp-server enable traps xgcp
snmp-server host 172.16.2.19
snmp-server host 172.16.9.119
!
radius-server host 172.16.2.9 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key
!
!
line con 0
exec-timeout 0 0
password
transport input none
line 1 96
modem InOut
modem autoconfigure type 2720
transport input all
autoselect ppp
line aux 0
line vty 0 4
password
!
end
03-20-2002 08:57 AM
I put a copy of my config out there
03-20-2002 05:27 PM
Try to put the "ip access-group 105 in" under the interface group-async 1..This should work.Thx..Tejal
03-21-2002 05:24 AM
Thanks, I decided to use authorization and accounting with my tacacs server and that resolved the access issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide