×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.
jbar8360 Thu, 07/31/2003 - 16:30
User Badges:

Try an access-class statement:


access-class:

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.


access-class access-list-number {in | out}

no access-class access-list-number {in | out}


HTH



prafuljaded Thu, 07/31/2003 - 16:43
User Badges:

You cant disable telnet access from a particular interface on a router. The telnet process runs independent of any interface. The above config will disable you from telneting into the router as a whole based on access-list

thisisshanky Thu, 07/31/2003 - 19:26
User Badges:
  • Purple, 4500 points or more

Try a reflexive access-list. This should disable telnet coming from outside to inside, (including telnet to your router on the serial interface)


ip access-list extended OUTBOUND

permit any any eq 23 reflect Telnettraffic


ip access-list extended INBOUND

evaluate Telnettraffic


Int s0/0

ip access-group OUTBOUND out

ip access-group INBOUND in


This accesslist OUTBOUND basically permits only those telnet traffic initiated from inside your network. A dynamic entry is created each time telnet connection is initiated from inside to outside. The return telnet traffic for every session (initiated from inside to outside), is also permitted by the dynamic entry.


The other side effect of this reflexive access-list (good side effect) is that it will deny telnet access to your router on the serial interface.


You can mix and match regular access-list statements with reflexive access-list statements. So make sure if you have other access-lists in place already, to add thos statements, into the above mentioned access-lists.


Hope that helps.

milan.kulik Thu, 07/31/2003 - 23:22
User Badges:
  • Red, 2250 points or more

Please clarify:

Do you want to prevent users to Telnet TO your router through the serial interface OR do you want to prevent Telnet connection FROM the router through the serial interface?

Regards,

Milan

hbartz Fri, 08/01/2003 - 22:44
User Badges:

I want to prevent the router responding to telnet attempts on port 25 when they originate from the outside (Internet)on serial line. Any internal telnet from the LAN I would like to keep open both ways, telnetting into the router and out of it. Thanks.

milan.kulik Mon, 08/04/2003 - 02:41
User Badges:
  • Red, 2250 points or more

OK,

you can use

1)

access-list 1 permit a.b.c.d ....

line vty 0 15

access-class 1 in

where acees-list 1 defines internal addresses allowed to Telnet

or

2)

int s0

ip access-group 101 in

access-list 101 deny tcp any host w.x.y.z eq telnet (or 25 if you are using port 25 for Telnet but I think it was a typo error)

access-list 101 permit ip any any


or both 1) and 2).

Regards,

Milan


Actions

This Discussion