04-26-2010 10:19 AM - edited 02-21-2020 03:56 AM
Hi all,
What is the recomended method to secure the access to Internet zone devices (router/switch) with public IPs? SSH enabled to access via Internet and is configured as transport for line vty with firm owned public ip ACL, even then the sitch/router responds to telnet with switch/router > via internet.
Test-INTR1#
!
line vty 0 4
access-class 23 in --> Firm owned puble IPs
exec-timeout 20 0
login local
transport input ssh
line vty 5 15
no login
!
Int vla30
ip addtress 20.20.20.1 255.255.255.248
!
Now from Internet (not from Firm IPs) with telnet test:
Test-INTR1>
What is the procedure, so that it will not give any prompt form outside/firm owned public IPs..?
TIA
MS
04-29-2010 01:28 AM
Hi all,
What is the recomended method to secure the access to Internet zone devices (router/switch) with public IPs? SSH enabled to access via Internet and is configured as transport for line vty with firm owned public ip ACL, even then the sitch/router responds to telnet with switch/router > via internet.
Test-INTR1#
!
line vty 0 4
access-class 23 in --> Firm owned puble IPs
exec-timeout 20 0
login local
transport input ssh
line vty 5 15
no login!
Int vla30
ip addtress 20.20.20.1 255.255.255.248
!
Now from Internet (not from Firm IPs) with telnet test:
Test-INTR1>
What is the procedure, so that it will not give any prompt form outside/firm owned public IPs..?
TIA
Hi,
Genrally the method you have configured is the one to secure the device and here is the example also to secure a device from ssh/telnet with sepcific ip address.This is done through the use of access control lists. We can restrict Telnet/SSH access to one or a group of IP addresses that we specify
Router#config t
Enter configuration commands, one per line. End with CNTL/Z
router(config)#access
router(config)#access-list 98 permit 192.168.1.3 255.255.255.255
router(config)#access-list 98 permit 192.168.1.4 255.255.255.255
router(config)#access-list 98 deny any
router(config)#line vty 0 4
router(config-line)#access-class 98 in
router(config-line)#transport input ssh
router(config-line)#end
Is the router is having cryptographic image to support ssh connection and ssh is enabled in router ?
Check out the below link for enabling ssh in routers
http://articles.techrepublic.com.com/5100-10878_11-5875046.html
Hope to help !!
Ganesh.H
Remember to rate the helpful post
05-26-2010 10:35 AM
Hi MS,
please verify how the connection terminates on the switch/router with
show users
verify the effective settings of that line with
show line {line}
Recommendations:
Remove the command
no login
from all vty lines, it will allow access to the router without authentication or prompt.
Extend the "access-class 23" and "login local" to all lines:
line vty 0 15
access-class 23 in
login local
Verify the access-list 23 for some undesired permits.
Thats all I can do with the limited information available.
Rgds, MiKa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide