Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

disabling telnet access

I have disabled telnet access to my Cisco2948 and Cisco5609 (runing CATOS) but im still able to telnet, am i missing anything? here is my config

set ip permit enable ssh

set ip permit enable snmp

set ip permit 10.0.0.0 255.0.0.0 ssh

set ip permit 10.0.0.0 255.0.0.0 snmp

sh ip permit

Telnet permit list disabled.

Ssh permit list enabled.

Snmp permit list enabled.

Permit List Mask Access-Type

---------------- ---------------- -------------

10.0.0.0 255.0.0.0 ssh snmp

11 REPLIES

Re: disabling telnet access

If you have already tried,

set ip permit disable telnet

Then something seems to be not correct.

Can you share sh ver?

Regards,

Prem

New Member

Re: disabling telnet access

Yes I did "set ip permit disable telnet " that's why it shows "telnet disabled" in show ip permit. Here is the show ver

From 6509:---------

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C6506 Software, Version NmpSW: 8.5(2)

Copyright (c) 1995-2005 by Cisco Systems

NMP S/W compiled on Dec 6 2005, 21:05:19

System Bootstrap Version: 7.7(1)

System Web Interface Version: Engine Version: 5.3.4 ADP Device: Cat6000 ADP Version: 8.0 ADK: 49

System Boot Image File is 'bootflash:cat6000-sup720cvk9.8-5-2.bin'

System Configuration register is 0x10f

From 4006:----

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C4006 Software, Version NmpSW: 8.1(2)

Copyright (c) 1995-2003 by Cisco Systems, Inc.

From 2948:-

sh ver

WARNING: This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and use.

Delivery of Cisco cryptographic products does not imply third-party authority

to import, export, distribute or use encryption. Importers, exporters,

distributors and users are responsible for compliance with U.S. and local

country laws. By using this product you agree to comply with applicable

laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

WS-C2948 Software, Version NmpSW: 8.4(9)GLX

Re: disabling telnet access

well I was not able to find anything on these versions to be specific. I wasn?t able to find anything wrong though, the way you have it setup. Until someone else can point us out.

But if you want you can get this thing to be investigated by TAC.

Regards,

Prem

Re: disabling telnet access

Hi Nawas,

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

set ip permit telnet

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Hope that helps !

Regards,

~JG

Re: disabling telnet access

JG is right,

unconventional, but this is how it works!

@JG : Great work TSing ;)

Regards,

Prem

New Member

Re: disabling telnet access

This is exactly I have configured my devices but still have no luck. To note that I had telnet enabled at some point now I want to disable telnet. I even tried ripping the whole permit list configureation and disabling permit list and enabling it but still no luck. Guess I will have to open a TAC case.

Re: disabling telnet access

Hey Nawas,

Please mark this thread resolved , so other can benefit from it ;-)

Regards,

~JG

New Member

Re: disabling telnet access

Have you opened a TAC case? What is the resolution if you don't mind to share?

Thanks,

pq

Re: disabling telnet access

Pq,

That issue has been fixed. Here is the solution.

This is how it works,

Command

Ip permit disable telnet---> Disables the use of a permit list.

You will need to enable the permit list and then define which IP addresses are allowed to

telnet to the switch.

If no IPs are defined then no telnet is possible.

So to disable telnet you need to enable it using---> Ip permit enable telnet

Now do not define any IP address for telnet. That way no one would be able to telnet to it.

Also to limit telnet access on the CAT OS you need to define who is permitted to telnet to

the device.

Eg,

set ip permit telnet

set ip permit telnet

set ip permit telnet

This creates a permit list. Once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

Regards,

~JG

New Member

Re: disabling telnet access

Thanks JG.

But the problem I have is that when IT Security people perform the network scan, it still shows that telnet service is enable. In another word, port 23 is still open. Is there a way to shutdown the telnet service totally?

pq

Re: disabling telnet access

Pq,

Well this is due to CAT OS architecture. It will show that telnet port is open but no one will be able to telnet until you define ip permit list for telnet.

If no ip permit list is there, telnet is not possible.

Regards,

~JG

344
Views
10
Helpful
11
Replies
CreatePlease to create content