Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
10
Helpful
4
Replies

Configure Telnet

Go to solution
MikeTomasko
Level 4
Level 4

‎10-30-2006 10:12 AM - edited ‎03-05-2019 12:31 PM

What is the simpliest way to allow telnet access from the local network, but block telnet from the outside? I have a 2621XM with 2 Fast Ethernet ports. One is hooked to a cable modem and the other is hooked to the LAN (a switch). Thanks!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to MikeTomasko

‎10-30-2006 11:12 AM

You can cover 192.168.0.0/24 & 192.168.1.0/24 with 1 statement. You need another statment to permit 172.16.1.0/24 and thus it can be done in two statements as follows.

Access lists uses wild card mask, opposite of subnet mask, and that's the reason why Rick was asking you to use a mask of 0.0.0.255 instead of 255.255.255.0. An IP and wildcard mask of 172.16.22.0 0.0.0.255 indicates all the bits in the first 3 octets needs to match precisely and it doesn't care about any bits in the last octet. Hence, 172.16.22.0 - 172.16.22.255 match this criteria.

The following config is what you need:

access-list 10 permit 192.168.0.0 0.0.1.255

access-list 10 permit 172.16.1.0 0.0.0.255

line vty 0 4

access-class 10 in

HTH

Sundar

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-30-2006 10:22 AM

Mike

If you want to restrict telnet access so that only devices on the local subnet can telnet to the router then the most simple way to do it is with access-class applied to the vty lines.

Instead of using an access list on interfaces and looking for telnet packets the access-class is applied on the vty lines and is used specifically to control who can telent to (or from) the router. Access class usually is done with standard access lists though it can also be configured with extended access lists. If your local subnet were 172.16.22.0/24 then the implementation would look like this:

access-list 50 permit 172.16.22.0 0.0.0.255

line vty 0 4

access-class 50 in

HTH

Rick

HTH

Rick

Go to solution
MikeTomasko
Level 4
Level 4
In response to Richard Burts

‎10-30-2006 10:56 AM

Thanks for the quick response! I have 3 local subnets. 192.168.0.0/24, 192.168.1.0/24 and 172.16.1.0/24. Would I just need 3 of the accss-list 50 permit statments or can I cover 192.168.0.0 and 192.168.1.0 with 1 statement?

Also, could you explain why it's 0.0.0.255 instead of 255.255.255.0 in the command? thanks!

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to MikeTomasko

‎10-30-2006 11:12 AM

You can cover 192.168.0.0/24 & 192.168.1.0/24 with 1 statement. You need another statment to permit 172.16.1.0/24 and thus it can be done in two statements as follows.

Access lists uses wild card mask, opposite of subnet mask, and that's the reason why Rick was asking you to use a mask of 0.0.0.255 instead of 255.255.255.0. An IP and wildcard mask of 172.16.22.0 0.0.0.255 indicates all the bits in the first 3 octets needs to match precisely and it doesn't care about any bits in the last octet. Hence, 172.16.22.0 - 172.16.22.255 match this criteria.

The following config is what you need:

access-list 10 permit 192.168.0.0 0.0.1.255

access-list 10 permit 172.16.1.0 0.0.0.255

line vty 0 4

access-class 10 in

HTH

Sundar

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sundar.palaniappan

‎10-30-2006 11:20 AM

Mike

Sundar gives a correct explanation about subnet masks and wildcard masks. He also shows how to combine two subnets into one statement.

One other note: check your router and verify how many vty lines there are. My example (and Sundar's example) assumed the traditional vty 0 4. But some of the newer versions of IOS have increased the number of vty. Many of the routers I am working with now have vty 0 15. Check how many vty your router has and configure for that. If you configure vty 0 4 but there are more vty than that you leave some of the lines unprotected.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card