Solved: Restrict telnet access

nawas · ‎10-01-2009

I have Cisco 6500 in the Hybrid mode and I do session 15/16 to get to MSFC (I believe this uses telnet)

I can also connect to MSFC using telnet/ssh to its loopback address.

I want to be able to continue to use session 15/16 but i want to block direct telnet access to MSFC and use only SSH.

I have tried the following ACL but then I couldn't directly telnet/ssh to the box.

access-list 112 permit tcp 10.1.21.0 0.0.0.255 eq 22 any (SSH ONLY sourcing from 10.1.21.0/24)

line vty 0 4

transport input telnet, ssh

access-list 112 in

line 5 15

transport input telnet, ssh

access-list 112 in

Do you know what I could be doing wrong?

Giuseppe Larosa · ‎10-01-2009

Hello Nawaz,

well known port TCP 22 should be on the destination part of the ACL:

try

access-list 113 permit tcp 10.1.21.0 0.0.0.255 any eq 22

and these are the MSFC's VTY lines?

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎10-01-2009

Hello Nawaz,

well known port TCP 22 should be on the destination part of the ACL:

try

access-list 113 permit tcp 10.1.21.0 0.0.0.255 any eq 22

and these are the MSFC's VTY lines?

Hope to help

Giuseppe

nawas · ‎10-01-2009

Yes these are the MSFC's vty line. I think this ACL will work, let me try.

nawas · ‎10-01-2009

Hi Giuseppe

Your ACL seem to have work but if I make a modification like adding a host instead of any it failed. (Since MSFC has tons of vlan interfaces and, I want to be able to ssh to only loopback0)

access-list 112 permit tcp 10.1.21.0 0.0.0.255 host 10.4.1.52 eq 22

Giuseppe Larosa · ‎10-01-2009

Hello Nawaz,

I'm afraid this is a limitation on using extended ACLs for access-class.

I remember a thread where Rick Burts explained this.

I usually configure a standard ACL for access-class.

I don't know if MSFC supports it: receive ACL but it is really difficult to configure you need to explicitly permit all possible flows to the MSFC including routing protocol messages.

I think you should be satisfied by having limited to SSH external access to MSFC allowing telnet access from supervisor.

Hope to help

Giuseppe

nawas · ‎10-01-2009

I agree, I have come up with the ACL and which serves the purpose for me. This ACL will allow the telnet via sess 15 and 15 but restrict telnet from anywhere else and allow ssh only.

Thank you for all your help.

access-list 112 permit tcp any any eq 22

line vty 0 4

transport input ssh

access-class 112 in

line vty 5 15

transport input ssh

access-class 112 in

glen.grant · ‎10-01-2009

If you get rid of the "eq 22" in the statement and just use tranport input ssh only it should work . It will block any telnet sessions because it is not one of the transport protocols allowed. Make sure SSH is configured correctly on the box before doing this.

nawas · ‎10-01-2009

If I use transport input ssh only then session 15/16 doesn't work.

glen.grant · ‎10-01-2009

Kind of defeats the point of using SSH if you still have telnet running on the catos side.

nawas · ‎10-01-2009

NO, I'm not running telnet on CAT OS but when do session 15 or session 16 from Cat OS then it only used (internal telnet) to connect to MSFC, this is by default in the Hybrid mode and you cannot change it.