vty access problem

Answered Question
Jul 8th, 2008

I'm not sure if I stumble into a possible IOS bug of a certain IOS release for Catalyst Switch. I test other IOS release and don't see this problem. I look for similar problem in Cisco Security Center but I don't see any.


Here is the configuration...

!

ip access-list standard VTY

permit 192.168.1.1

!

line vty 0 4

access-class VTY in

exec-timeout 5 0

length 0

transport input ssh

line vty 5 15


I can login with the following.....

Application: Telnet

Source IP Address: Any IP Address except 192.168.1.1

Account: Any local user accounts

Line: 6 to 16 (which is vty 5 to 15)


The workaround I use...

!

line vty 5 15

access-class VTY in


Any idea how to totally block access to line 6 to 16?


TIA

Correct Answer by mohammedmahmoud about 8 years 7 months ago

Hi Dandy,


Simply do "no exec" under these lines.


BR,

Mohammed Mahmoud.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
Loading.
tomredmond Tue, 07/08/2008 - 02:21

If you do not need those lines i.e. more than five simultaneous telnet/ssh sessions then I would remove them (no line vty 5 15) you can always reinstate them later.

Tom

Correct Answer
mohammedmahmoud Tue, 07/08/2008 - 03:18

Hi Dandy,


Simply do "no exec" under these lines.


BR,

Mohammed Mahmoud.

is66rlhntadm Tue, 07/08/2008 - 05:57

I usualy just configure all the vty with


line vty 0 15


this way all 16 have the same restrictions

Danilo Dy Tue, 07/08/2008 - 06:36

Yes, but as I mentioned I only encountered this on one particular Catalyst Switch IOS.


This is because everytime I update/upgrade IOS, I use a tool to scan the device for any vulnerability. Sometime, you can just try it manually - as in this case I found out the problem when manually trying to telnet to the switch using an IP Address that is not in the ACL in line 1 to 5 (vty 0 4). I did not encounter this in other Catalyst Switch IOS. But of course I cannot test all release as I have other better things to do :) like playing COD4 (right now) and AAO (maybe later) :).

Actions

This Discussion