05-11-2020 10:01 AM
I have a VPN tunnel between my company an a remote user. I need to block ALL telnet and ssh to the remote user BUT I still need to be able to telnet through the VPN to the remote user. There will only be router to router telnet accessing so I am not worried about clear text on our network; and the VPN is encrypting the router to router communication.
If I block all port 22 and 23 on the remote router, will I still be able to telnet through the VPN tunnel?
I am asking here because I do not want to loose connection of the remote router if this won't work as it is in another location with limited access.
Solved! Go to Solution.
05-19-2020 04:06 PM
I created what I needed.
Int g0/2
ip access-group Protect in
exit
IP Access-List Extended Protect
REMARK - Protect Internet inbound connection
10 permit tcp any any established
20 permit tcp any host {Public_IP_Address} eq ftp
30 permit tcp any host {Public_IP_Address} eq domain
40 permit udp any host {Public_IP_Address} eq domain
50 permit tcp any host {Public_IP_Address} eq 443
60 permit udp any host {Public_IP_Address} eq isakmp
70 permit tcp any host {Public_IP_Address} eq 1194
80 permit udp any host {Public_IP_Address} eq 1194
90 permit tcp any host {Public_IP_Address} range 2000 2099
100 permit udp any host {Public_IP_Address} eq non500-isakmp
110 permit tcp any host {Public_IP_Address} eq 5060
120 permit udp any host {Public_IP_Address} eq 5060
130 permit udp any host {Public_IP_Address} range 16384 32767
140 permit gre any host {Public_IP_Address}
150 permit esp any host {Public_IP_Address}
160 permit ahp any host {Public_IP_Address}
170 permit udp any eq domain any
180 permit udp any eq 5010 any
190 permit tcp any host {Public_IP_Address} eq 9090
220 permit udp any eq ntp any
998 permit icmp any any
999 deny ip any any log
Our two VPNs work, SIP & VoIP work, GRE Tunnels work, FTP server works, Can telnet from my router to customer's router as needed.
Hope this helps anyone that needs it. On to my next progect, EEM and emailing...
05-11-2020 04:35 PM
05-19-2020 04:06 PM
I created what I needed.
Int g0/2
ip access-group Protect in
exit
IP Access-List Extended Protect
REMARK - Protect Internet inbound connection
10 permit tcp any any established
20 permit tcp any host {Public_IP_Address} eq ftp
30 permit tcp any host {Public_IP_Address} eq domain
40 permit udp any host {Public_IP_Address} eq domain
50 permit tcp any host {Public_IP_Address} eq 443
60 permit udp any host {Public_IP_Address} eq isakmp
70 permit tcp any host {Public_IP_Address} eq 1194
80 permit udp any host {Public_IP_Address} eq 1194
90 permit tcp any host {Public_IP_Address} range 2000 2099
100 permit udp any host {Public_IP_Address} eq non500-isakmp
110 permit tcp any host {Public_IP_Address} eq 5060
120 permit udp any host {Public_IP_Address} eq 5060
130 permit udp any host {Public_IP_Address} range 16384 32767
140 permit gre any host {Public_IP_Address}
150 permit esp any host {Public_IP_Address}
160 permit ahp any host {Public_IP_Address}
170 permit udp any eq domain any
180 permit udp any eq 5010 any
190 permit tcp any host {Public_IP_Address} eq 9090
220 permit udp any eq ntp any
998 permit icmp any any
999 deny ip any any log
Our two VPNs work, SIP & VoIP work, GRE Tunnels work, FTP server works, Can telnet from my router to customer's router as needed.
Hope this helps anyone that needs it. On to my next progect, EEM and emailing...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide