Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2413
Views
0
Helpful
6
Replies

Disable Telnet on Interface

hbartz
Level 1
Level 1

‎07-31-2003 04:08 PM - edited ‎03-02-2019 09:17 AM

I would like to disable Telnet access on a 1720 router, but only on the outside (serial) interface. How is this done? Thanks.

Labels:
0 Helpful
6 Replies 6

jbar8360
Level 1
Level 1

‎07-31-2003 04:30 PM

Try an access-class statement:

access-class:

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.

access-class access-list-number {in | out}

no access-class access-list-number {in | out}

HTH

0 Helpful

prafuljaded
Level 3
Level 3
In response to jbar8360

‎07-31-2003 04:43 PM

You cant disable telnet access from a particular interface on a router. The telnet process runs independent of any interface. The above config will disable you from telneting into the router as a whole based on access-list

0 Helpful

thisisshanky
Level 11
Level 11
In response to prafuljaded

‎07-31-2003 07:26 PM

Try a reflexive access-list. This should disable telnet coming from outside to inside, (including telnet to your router on the serial interface)

ip access-list extended OUTBOUND

permit any any eq 23 reflect Telnettraffic

ip access-list extended INBOUND

evaluate Telnettraffic

Int s0/0

ip access-group OUTBOUND out

ip access-group INBOUND in

This accesslist OUTBOUND basically permits only those telnet traffic initiated from inside your network. A dynamic entry is created each time telnet connection is initiated from inside to outside. The return telnet traffic for every session (initiated from inside to outside), is also permitted by the dynamic entry.

The other side effect of this reflexive access-list (good side effect) is that it will deny telnet access to your router on the serial interface.

You can mix and match regular access-list statements with reflexive access-list statements. So make sure if you have other access-lists in place already, to add thos statements, into the above mentioned access-lists.

Hope that helps.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

milan.kulik
Level 10
Level 10

‎07-31-2003 11:22 PM

Please clarify:

Do you want to prevent users to Telnet TO your router through the serial interface OR do you want to prevent Telnet connection FROM the router through the serial interface?

Regards,

Milan

0 Helpful

hbartz
Level 1
Level 1
In response to milan.kulik

‎08-01-2003 10:44 PM

I want to prevent the router responding to telnet attempts on port 25 when they originate from the outside (Internet)on serial line. Any internal telnet from the LAN I would like to keep open both ways, telnetting into the router and out of it. Thanks.

0 Helpful

milan.kulik
Level 10
Level 10
In response to hbartz

‎08-04-2003 02:41 AM

OK,

you can use

1)

access-list 1 permit a.b.c.d ....

line vty 0 15

access-class 1 in

where acees-list 1 defines internal addresses allowed to Telnet

or

2)

int s0

ip access-group 101 in

access-list 101 deny tcp any host w.x.y.z eq telnet (or 25 if you are using port 25 for Telnet but I think it was a typo error)

access-list 101 permit ip any any

or both 1) and 2).

Regards,

Milan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents