cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1157
Views
5
Helpful
5
Replies

router web access

matt_heff
Level 1
Level 1

i use ssh and also have web access available to manage my 1721 router. when I disable telnet access on the vty ports (so i can just use ssh) web access becomes disabled as well. is this normal? how do i get around this? do i have to leave transport telnet enabled and then use an access list denying telnet, or is there an easier way?

thanks,

Matt

5 Replies 5

spremkumar
Level 9
Level 9

Hi Matt

AFAIK you are going to establish the web access through the port you are going to define using ip http port followed by the port number.

So i dont think so by disabling the line vty access your web is getting blocked.

whats the exact error message you are getting or whats the display when you try doing web access...

regds

Craig Balfour
Level 1
Level 1

Where are you applying the access-list to block telnet?

The correct way is to apply an access-list to the vty line interfaces using the access-class command.

Here is an example:

ip access-list extended VTY-LOCKDOWN2

permit tcp 10.0.0.0 0.255.255.255 any eq 22 log

deny tcp any any eq 22 log

permit ip any any

line vty 0 15

access-class VTY-LOCKDOWN2 in

If the access-list is applied using the access-class command to the correct interface it should not effect web access to the router. However, if you apply the access-list using the access-group command on, say, interface fa0 you will end up blocking http access to your router and probably other protocols as well.

The correct way to control access to the web interface is to use the ip http access-class as follows:

ip access-list standard 40

permit 10.0.0.0 0.255.255.255

deny any

ip http access-class 40

Craig

If the objective is to permit only SSH and deny telnet then your access list is flawed because after denying tcp any any eq 22 you permit ip any any which would permit telnet.

And I believe that if the objective is to permit only SSH and deny telnet that a more simple approach is better: under the vty lines specify transport input ssh. This will allow ssh and will not allow telnet.

I agree with you that blocking telnet should not block HTTP access. Perhaps if we could see the configuration being used we could identify what is impacting the web access.

HTH

Rick

HTH

Rick

Hi Rick,

Of course - you are correct. I copied this access-list directly from a reply I did a few days ago and forgot to update it.

A more appropriate access-list to permit SSH from a particular network and block telnet (any other remote terminal protocol) would be:

ip access-list extended VTY-LOCKDOWN2

permit tcp 10.0.0.0 0.255.255.255 any eq 22

deny tcp any any

As you say, an even better approach would be to just restrict the protocols available on the vty, and perhaps add an access-list ensure that remote terminal access is restricted to the local LAN:

ip access-list standard VTY-LOCKDOWN3

permit 10.0.0.0 0.255.255.255

deny any

line vty 0 15

transport input ssh

access-class VTY-LOCKDOWN3 in

Craig

I certainly agree that the most secure implementation includes both the transport input ssh under the vty and an access class to restrict source addresses.

My experience with access-class on the vty is that using standard access lists works best. The complexity introduced by extended access lists for access class is generally not worth it.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: