Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Disable Telnet on Interface

I would like to disable Telnet access on a 1720 router, but only on the outside (serial) interface. How is this done? Thanks.

6 REPLIES
Community Member

Re: Disable Telnet on Interface

Try an access-class statement:

access-class:

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.

access-class access-list-number {in | out}

no access-class access-list-number {in | out}

HTH

Community Member

Re: Disable Telnet on Interface

You cant disable telnet access from a particular interface on a router. The telnet process runs independent of any interface. The above config will disable you from telneting into the router as a whole based on access-list

Re: Disable Telnet on Interface

Try a reflexive access-list. This should disable telnet coming from outside to inside, (including telnet to your router on the serial interface)

ip access-list extended OUTBOUND

permit any any eq 23 reflect Telnettraffic

ip access-list extended INBOUND

evaluate Telnettraffic

Int s0/0

ip access-group OUTBOUND out

ip access-group INBOUND in

This accesslist OUTBOUND basically permits only those telnet traffic initiated from inside your network. A dynamic entry is created each time telnet connection is initiated from inside to outside. The return telnet traffic for every session (initiated from inside to outside), is also permitted by the dynamic entry.

The other side effect of this reflexive access-list (good side effect) is that it will deny telnet access to your router on the serial interface.

You can mix and match regular access-list statements with reflexive access-list statements. So make sure if you have other access-lists in place already, to add thos statements, into the above mentioned access-lists.

Hope that helps.

Re: Disable Telnet on Interface

Please clarify:

Do you want to prevent users to Telnet TO your router through the serial interface OR do you want to prevent Telnet connection FROM the router through the serial interface?

Regards,

Milan

Community Member

Re: Disable Telnet on Interface

I want to prevent the router responding to telnet attempts on port 25 when they originate from the outside (Internet)on serial line. Any internal telnet from the LAN I would like to keep open both ways, telnetting into the router and out of it. Thanks.

Re: Disable Telnet on Interface

OK,

you can use

1)

access-list 1 permit a.b.c.d ....

line vty 0 15

access-class 1 in

where acees-list 1 defines internal addresses allowed to Telnet

or

2)

int s0

ip access-group 101 in

access-list 101 deny tcp any host w.x.y.z eq telnet (or 25 if you are using port 25 for Telnet but I think it was a typo error)

access-list 101 permit ip any any

or both 1) and 2).

Regards,

Milan

354
Views
0
Helpful
6
Replies
CreatePlease to create content