Solved: SSH and TELNET

bhupeshg · ‎02-11-2008

ROUTER(SSH)-->SWITCH(TELNET)

My requirement is like this..

1)i will be able to ssh the router and restrcited to telnet.

2)once i'll get in to the router i can telnet to the switch from the same session.

I have applied the below given commands

ROUTER(SSH)Configuration...

Line VTY 0 4

TRANSPORT INPUT TELNET SSH

TRANSPORT OUTPUT TELNET SSH

but after this i can also telnet the router, but if i remove telnet i will not be able to telnet the switch.

any help will be appriciated.

royalblues · ‎02-12-2008

Try this

line vty 0 4

transport input ssh ---- this will restrict telnet into this device

transport output telnet --- this will allow telnet to be initiated from this device

In addition you can restrict the machines that can gain access via the access-class command as suggested above

HTH

Narayan

View solution in original post

gojericho0 · ‎02-11-2008

Hello

On your vty line just use TRANSPORT INPUT SSH and TRANSPORT OUTPUT SSH instead of including telnet as well.

HTH

guruprasadr · ‎02-11-2008

HI Bhupesh, [Pls Rate if HELPS]

You can block based on Port:

access-list 110 deny tcp any host $yourRouterIP eq 23

interface X0/0

access-group in 110

Allow access to authroised HOST:

access-list 50 permit 192.168.1.1

access-list 50 deny any log

line vty 0 4

access-class 50 in

exec-timeout 5 0

(or)

To Prevent Non-SSH Connections:

==================================

If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.

line vty 0 4

!--- Prevent non-SSH Telnets.

transport input ssh

Test to make sure that non-SSH users cannot Telnet to the router.

Hope i am Informative.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

royalblues · ‎02-12-2008

Try this

line vty 0 4

transport input ssh ---- this will restrict telnet into this device

transport output telnet --- this will allow telnet to be initiated from this device

In addition you can restrict the machines that can gain access via the access-class command as suggested above

HTH

Narayan

bhupeshg · ‎02-12-2008

Hi Guru,

Thanks for your inputs, I think there is misunderstanding on the requirement.

First i am doing ssh to the router (i want to open only ssh and restrict the telnet), now to access the immidiate connected L2 switch i have to telnet (The L2 switch didn't support the SSH so there no other option for me apart from telnet) the switch from the ssh session of router.

If i'll put the "transport input ssh" on router, I am no longer able to telnet the immidiate connected L2 switch from the ssh session of router.

&

If i'll put the "transport input telnet ssh" on router, I am able to ssh to the router (which is my requirement) also i am able to telnet to the router (which is not my requirement) and I am able to telnet the immidiate connected L2 switch(which is my requirement) from the ssh session of router.

Hope we are on the same page now.

Thanks in advanced.

royalblues · ‎02-12-2008

you should be able to initiate a telnet from the device to which you have SSHed into unless you have restricted via the transport output command

HTH

Narayan

bhupeshg · ‎02-12-2008

Hi Narayan,

Appriciate your inputs, Yes i am able to initiate a telnet from the device to which you have SSHed.

But the problem is at the same time, I want to restrict the telnet access of the router.

regards

Bhupesh Gupta

9810231194

guruprasadr · ‎02-12-2008

HI Bhupesh, [Rate all informative POST]

Nice to hear your problem is close to resolve.

'line vty 0 4'

'transport input ssh'

>> This will normally block the non-ssh connection to the Router.

Refer the previous POST.

PLS RATE ALL INFORMATIVE POSTS

Best Regards,

Guru Prasad R

royalblues · ‎02-12-2008

Bhupesh,

Can you try the commands as per my earlier post and revert back?

Narayan