12-17-2008 09:49 AM
Hello,
I am using the document "Configuring Cisco VPN Client 3.x for windowns to IOS Using Local Extended Authentication" to test a remote access to internal LAN.
Everything works fine but when I define the users:
username usuario1 password 0 password
these users can do a telnet to the device.
I have tried with privilege 0 but it doesn't work. Can anyone help me?
12-17-2008 10:19 AM
Hi,
How are you assigning IP Address to the VPN Client. That is, how is your vpn pool of ip addresses configured. One quick way to deny telnet access is to configure an ACL only for your internal network to access the router via telnet.
For example:
If 192.168.1.0/24 is your internal network, then:
access-list 1 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 1 in
This will allow only users from 192.168.1.x/24 to access the router via line vty 0 4.
The above is also a best practice because it is an additional layer of security of which network had access to the router.
Regards,
Arul
*Pls rate if it helps*
12-17-2008 10:32 AM
Hello,
yes, I have an acl protection but
It is amazing that anyone can be accessed at the local router. Depend on scenario the ACL protection can't be enough.
12-17-2008 10:43 AM
I totally agree with you that ACL protection is not enough, if u refer my previous post that is what I told you as well :-)) ACL is just another layer of protection.
Also, What do you mean when you say you have ACL protection but anyone can access the router. Are you saying that you have applied the ACL to the VTY Lines and still users can access the router?
Can you post the configuration from the router.
Regards,
Arul
12-17-2008 11:38 PM
Hello,
as you see there are two users: admin and master. Master is the user that should be able to a telnet to the device. But if you do a telnet and type "admin" and its password, you can access too.
I think try to move users to a radius, but the number of users than are going to use the VPN access is very little. So I would prefer local login instead radius login.
version 12.3
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Terminator
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot 2
enable secret 5 XXXXXXXXXXXXXXXXXXX
!
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 2:00
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
username master password XXXXXXXXX
username admin password XXXXXXXXXXX
!
!
!
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group integra-client
key XXXXXXXX
dns 192.168.0.1
wins 192.168.0.1
domain f-integra.org
pool integra-pool
acl integra-acl
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.2.254.249 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
ip address X.X.X.X 255.255.255.240
duplex auto
speed auto
crypto map clientmap
!
ip local pool integra-pool 10.254.254.1 10.254.254.31
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 10.0.0.0 255.128.0.0 10.2.254.254
ip route 172.16.0.0 255.240.0.0 10.2.254.254
ip route 192.168.0.0 255.255.0.0 10.2.254.254
!
!
!
ip access-list extended integra-acl
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
!
access-list 99 permit Y.Y.Y.Y
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 99 deny any
!
!
!
!
!
!
!
!
!
!
line con 0
transport output all
line aux 0
transport output all
line vty 0 4
access-class 99 in
password 7 13061E010803
transport input all
transport output all
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide