cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
734
Views
0
Helpful
2
Replies
Michael Durham
Enthusiast

Telnet access through VPN but block all others

I have a VPN tunnel between my company an a remote user.  I need to block ALL telnet and ssh to the remote user BUT I still need to be able to telnet through the VPN to the remote user.  There will only be router to router telnet accessing so I am not worried about clear text on our network; and the VPN is encrypting the router to router communication.

If I block all port 22 and 23 on the remote router, will I still be able to telnet through the VPN tunnel?

I am asking here because I do not want to loose connection of the remote router if this won't work as it is in another location with limited access.

1 ACCEPTED SOLUTION

Accepted Solutions

I created what I needed.

Int g0/2

 ip access-group Protect in

exit

IP Access-List Extended Protect
REMARK - Protect Internet inbound connection
 10 permit tcp any any established
20 permit tcp any host {Public_IP_Address} eq ftp
30 permit tcp any host {Public_IP_Address} eq domain
40 permit udp any host {Public_IP_Address} eq domain
50 permit tcp any host {Public_IP_Address} eq 443
60 permit udp any host {Public_IP_Address} eq isakmp
70 permit tcp any host {Public_IP_Address} eq 1194
80 permit udp any host {Public_IP_Address} eq 1194
90 permit tcp any host {Public_IP_Address} range 2000 2099
100 permit udp any host {Public_IP_Address} eq non500-isakmp
110 permit tcp any host {Public_IP_Address} eq 5060
120 permit udp any host {Public_IP_Address} eq 5060
130 permit udp any host {Public_IP_Address} range 16384 32767
140 permit gre any host {Public_IP_Address}
150 permit esp any host {Public_IP_Address}
160 permit ahp any host {Public_IP_Address}
170 permit udp any eq domain any
180 permit udp any eq 5010 any
190 permit tcp any host {Public_IP_Address} eq 9090
220 permit udp any eq ntp any
998 permit icmp any any
999 deny ip any any log

 

Our two VPNs work, SIP & VoIP work, GRE Tunnels work, FTP server works, Can telnet from my router to customer's router as needed.

 

Hope this helps anyone that needs it.  On to my next progect, EEM and emailing...

View solution in original post

2 REPLIES 2
Francesco Molino
VIP Mentor

Hi

When you say block ssh and telnet you mean denying this traffic on the outside interface?
If so, you'll block it for internet people let say and you'll be able to access it yourself over the vpn. For that you need to make sure you block the traffic on the outside that's fine but you need to allow yourself on the vty acl if any.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I created what I needed.

Int g0/2

 ip access-group Protect in

exit

IP Access-List Extended Protect
REMARK - Protect Internet inbound connection
 10 permit tcp any any established
20 permit tcp any host {Public_IP_Address} eq ftp
30 permit tcp any host {Public_IP_Address} eq domain
40 permit udp any host {Public_IP_Address} eq domain
50 permit tcp any host {Public_IP_Address} eq 443
60 permit udp any host {Public_IP_Address} eq isakmp
70 permit tcp any host {Public_IP_Address} eq 1194
80 permit udp any host {Public_IP_Address} eq 1194
90 permit tcp any host {Public_IP_Address} range 2000 2099
100 permit udp any host {Public_IP_Address} eq non500-isakmp
110 permit tcp any host {Public_IP_Address} eq 5060
120 permit udp any host {Public_IP_Address} eq 5060
130 permit udp any host {Public_IP_Address} range 16384 32767
140 permit gre any host {Public_IP_Address}
150 permit esp any host {Public_IP_Address}
160 permit ahp any host {Public_IP_Address}
170 permit udp any eq domain any
180 permit udp any eq 5010 any
190 permit tcp any host {Public_IP_Address} eq 9090
220 permit udp any eq ntp any
998 permit icmp any any
999 deny ip any any log

 

Our two VPNs work, SIP & VoIP work, GRE Tunnels work, FTP server works, Can telnet from my router to customer's router as needed.

 

Hope this helps anyone that needs it.  On to my next progect, EEM and emailing...

View solution in original post