i use ssh and also have web access available to manage my 1721 router. when I disable telnet access on the vty ports (so i can just use ssh) web access becomes disabled as well. is this normal? how do i get around this? do i have to leave transport telnet enabled and then use an access list denying telnet, or is there an easier way?
Where are you applying the access-list to block telnet?
The correct way is to apply an access-list to the vty line interfaces using the access-class command.
Here is an example:
ip access-list extended VTY-LOCKDOWN2
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
deny tcp any any eq 22 log
permit ip any any
line vty 0 15
access-class VTY-LOCKDOWN2 in
If the access-list is applied using the access-class command to the correct interface it should not effect web access to the router. However, if you apply the access-list using the access-group command on, say, interface fa0 you will end up blocking http access to your router and probably other protocols as well.
The correct way to control access to the web interface is to use the ip http access-class as follows:
If the objective is to permit only SSH and deny telnet then your access list is flawed because after denying tcp any any eq 22 you permit ip any any which would permit telnet.
And I believe that if the objective is to permit only SSH and deny telnet that a more simple approach is better: under the vty lines specify transport input ssh. This will allow ssh and will not allow telnet.
I agree with you that blocking telnet should not block HTTP access. Perhaps if we could see the configuration being used we could identify what is impacting the web access.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...