cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
10
Helpful
11
Replies

disabling telnet access

nawas
Level 4
Level 4

I have disabled telnet access to my Cisco2948 and Cisco5609 (runing CATOS) but im still able to telnet, am i missing anything? here is my config

set ip permit enable ssh

set ip permit enable snmp

set ip permit 10.0.0.0 255.0.0.0 ssh

set ip permit 10.0.0.0 255.0.0.0 snmp

sh ip permit

Telnet permit list disabled.

Ssh permit list enabled.

Snmp permit list enabled.

Permit List Mask Access-Type

---------------- ---------------- -------------

10.0.0.0 255.0.0.0 ssh snmp

11 Replies 11

Premdeep Banga
Level 7
Level 7

If you have already tried,

set ip permit disable telnet

Then something seems to be not correct.

Can you share sh ver?

Regards,

Prem

Yes I did "set ip permit disable telnet " that's why it shows "telnet disabled" in show ip permit. Here is the show ver

From 6509:---------

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C6506 Software, Version NmpSW: 8.5(2)

Copyright (c) 1995-2005 by Cisco Systems

NMP S/W compiled on Dec 6 2005, 21:05:19

System Bootstrap Version: 7.7(1)

System Web Interface Version: Engine Version: 5.3.4 ADP Device: Cat6000 ADP Version: 8.0 ADK: 49

System Boot Image File is 'bootflash:cat6000-sup720cvk9.8-5-2.bin'

System Configuration register is 0x10f

From 4006:----

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C4006 Software, Version NmpSW: 8.1(2)

Copyright (c) 1995-2003 by Cisco Systems, Inc.

From 2948:-

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C2948 Software, Version NmpSW: 8.4(9)GLX

well I was not able to find anything on these versions to be specific. I wasn?t able to find anything wrong though, the way you have it setup. Until someone else can point us out.

But if you want you can get this thing to be investigated by TAC.

Regards,

Prem

Hi Nawas,

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

set ip permit telnet

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Hope that helps !

Regards,

~JG

JG is right,

unconventional, but this is how it works!

@JG : Great work TSing ;)

Regards,

Prem

This is exactly I have configured my devices but still have no luck. To note that I had telnet enabled at some point now I want to disable telnet. I even tried ripping the whole permit list configureation and disabling permit list and enabling it but still no luck. Guess I will have to open a TAC case.

Hey Nawas,

Please mark this thread resolved , so other can benefit from it ;-)

Regards,

~JG

Have you opened a TAC case? What is the resolution if you don't mind to share?

Thanks,

pq

Pq,

That issue has been fixed. Here is the solution.

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

set ip permit telnet

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Regards,

~JG

Thanks JG.

But the problem I have is that when IT Security people perform the network scan, it still shows that telnet service is enable. In another word, port 23 is still open. Is there a way to shutdown the telnet service totally?

pq

Pq,

Well this is due to CAT OS architecture. It will show that telnet port is open but no one will be able to telnet until you define ip permit list for telnet.

If no ip permit list is there, telnet is not possible.

Regards,

~JG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: