07-31-2003 04:08 PM - edited 03-02-2019 09:17 AM
I would like to disable Telnet access on a 1720 router, but only on the outside (serial) interface. How is this done? Thanks.
07-31-2003 04:30 PM
Try an access-class statement:
access-class:
To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}
no access-class access-list-number {in | out}
HTH
07-31-2003 04:43 PM
You cant disable telnet access from a particular interface on a router. The telnet process runs independent of any interface. The above config will disable you from telneting into the router as a whole based on access-list
07-31-2003 07:26 PM
Try a reflexive access-list. This should disable telnet coming from outside to inside, (including telnet to your router on the serial interface)
ip access-list extended OUTBOUND
permit any any eq 23 reflect Telnettraffic
ip access-list extended INBOUND
evaluate Telnettraffic
Int s0/0
ip access-group OUTBOUND out
ip access-group INBOUND in
This accesslist OUTBOUND basically permits only those telnet traffic initiated from inside your network. A dynamic entry is created each time telnet connection is initiated from inside to outside. The return telnet traffic for every session (initiated from inside to outside), is also permitted by the dynamic entry.
The other side effect of this reflexive access-list (good side effect) is that it will deny telnet access to your router on the serial interface.
You can mix and match regular access-list statements with reflexive access-list statements. So make sure if you have other access-lists in place already, to add thos statements, into the above mentioned access-lists.
Hope that helps.
07-31-2003 11:22 PM
Please clarify:
Do you want to prevent users to Telnet TO your router through the serial interface OR do you want to prevent Telnet connection FROM the router through the serial interface?
Regards,
Milan
08-01-2003 10:44 PM
I want to prevent the router responding to telnet attempts on port 25 when they originate from the outside (Internet)on serial line. Any internal telnet from the LAN I would like to keep open both ways, telnetting into the router and out of it. Thanks.
08-04-2003 02:41 AM
OK,
you can use
1)
access-list 1 permit a.b.c.d ....
line vty 0 15
access-class 1 in
where acees-list 1 defines internal addresses allowed to Telnet
or
2)
int s0
ip access-group 101 in
access-list 101 deny tcp any host w.x.y.z eq telnet (or 25 if you are using port 25 for Telnet but I think it was a typo error)
access-list 101 permit ip any any
or both 1) and 2).
Regards,
Milan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: