Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
994
Views
0
Helpful
2
Replies

Internet zone device- Secure access

mvsheik123
Level 7
Level 7

‎04-26-2010 10:19 AM - edited ‎02-21-2020 03:56 AM

Hi all,

What is the recomended method to secure the access to Internet zone devices (router/switch) with public IPs?  SSH enabled to access via Internet and is configured as transport for line vty with firm owned public ip ACL, even then the sitch/router responds to telnet with switch/router > via internet.

Test-INTR1#

!

line vty 0 4
access-class 23 in --> Firm owned puble IPs
exec-timeout 20 0
login local
transport input ssh
line vty 5 15
no login

!

Int vla30

ip addtress 20.20.20.1 255.255.255.248

!

Now from Internet (not from Firm IPs) with telnet test:

Test-INTR1> 

What is the procedure, so that it will not give any prompt form outside/firm owned public IPs..?

TIA

MS

0 Helpful
2 Replies 2

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎04-29-2010 01:28 AM 

Hi all,

What is the recomended method to secure the access to Internet zone
devices (router/switch) with public IPs?  SSH enabled to access via
Internet and is configured as transport for line vty with firm owned
public ip ACL, even then the sitch/router responds to telnet with
switch/router > via internet.
Test-INTR1#
!
line vty 0 4
 access-class 23 in --> Firm owned puble IPs
 exec-timeout 20 0
 login local
 transport input ssh
line vty 5 15
 no login
!
Int vla30
ip addtress 20.20.20.1 255.255.255.248
!
Now from Internet (not from Firm IPs) with telnet test:
Test-INTR1>  
What is the procedure, so that it will not give any prompt form outside/firm owned public IPs..?
TIA

Hi,

Genrally the method you have configured is the one to secure the device and here is the example also to secure a device from ssh/telnet with sepcific ip address.This is done through the use of access control lists. We can restrict Telnet/SSH access to one or a group of IP addresses that we specify


Router#config t
Enter configuration commands, one per line. End with CNTL/Z
router(config)#access
router(config)#access-list 98 permit 192.168.1.3 255.255.255.255
router(config)#access-list 98 permit 192.168.1.4 255.255.255.255
router(config)#access-list 98 deny any
router(config)#line vty 0 4
router(config-line)#access-class 98 in

router(config-line)#transport input ssh  
router(config-line)#end

Is the router is having cryptographic image to support ssh connection and ssh is enabled in router ?

Check out the below link for enabling ssh in routers

http://articles.techrepublic.com.com/5100-10878_11-5875046.html

Hope to help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful

m.kafka
Level 4
Level 4

‎05-26-2010 10:35 AM

Hi MS,

please verify how the connection terminates on the switch/router with

show users

verify the effective settings of that line with

show line {line}


Recommendations:

Remove the command

no login

from all vty lines, it will allow access to the router without authentication or prompt.

Extend the "access-class 23" and "login local" to all lines:

line vty 0 15

  access-class 23 in

  login local

Verify the access-list 23 for some undesired permits.

Thats all I can do with the limited information available.

Rgds, MiKa

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card