07-23-2007 06:41 AM - edited 03-05-2019 05:26 PM
Hello,
I need to allow only one telnet connection to a router.
Which set of commands will accomplish this this task?
Can "line vty 1, login, password cisco" be used?
07-23-2007 08:42 AM
we'll work with 192.168.1.200 as being the only system IP that can telnet to the router on vty line 1.
create an access list
ip access-list extended 101
access-list 101 permit tcp 192.168.1.200 0.0.0.255 any eq telnet
access-list 101 deny ip any any log
then apply the acl to vty 1 line
e.g
line vty 1
access-class 101 in
transport input telnet
you can configure one vty line with a unique password..
eg.
line vty 1
password xxxxx
login
07-23-2007 11:32 AM
Laurentiu
I will take a slightly different approach than Jorge (while his approach does control access to a single vty by a single host, I am not sure that this is what you were really asking for - especially since it does not address what happens on vty 0).
I will suggest that you configure vty 0 to accept the telnet connection (depending on how your router is configured - especially whether you are using aaa or not - the configuration that you posted would be fine, and that under all the other vty lines you configure:
no exec
This will prevent any telnet connection from becoming active on any other vty. Be aware that on many routers there are vty 0 4, but on some versions there are vty 0 15, and could possibly be other numbers of vty lines. So check how many are in your router and configure tham as I have suggested.
HTH
Rick
07-23-2007 11:39 AM
I agree with rick.
The no exec command turns off the EXEC process for the specified line and this would ensure only one telnet session at a time.
if you also want to allow acess to only one machine, you can use the access-list under the line which does not have the no exec command
Narayan
07-23-2007 12:26 PM
Narayan/Rick, agree on the no exec command as a more effective approach.
07-24-2007 03:39 AM
Hi,
Just to add one more thing here...
As you will be allowing just one telnet connection, do remember to apply with exec-time with appropriate timer.
otherwise you have to login to console to clear the only available vty line for telnet access.
"I have seen similar problem with 6500 with no exec-timeout applied"
regards
07-24-2007 03:52 AM
yes a very valid point by rajat..
All you dont need is to lock yourself up and use the console to free the session..
line vty 0
access-class 1 in
exec-timeout 5 0
line vty 1 15
no exec
HTH
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide