12-11-2003 02:55 AM - edited 03-02-2019 12:17 PM
Hi,
can someone tell me why i can telnet to this router 81.1.1.96 from the internet ?
router#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH2, EARLY DEPLOYMENT RELEASE SOFTWA
RE (fc1)
Synched to technology version 12.2(14.5)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 22-Jul-03 09:37 by ealyon
Image text-base: 0x800131E8, data-base: 0x80AA14DC
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH2, EARLY DEPLOYMENT RELEASE SOFTWARE (
fc1)
Lindo uptime is 1 week, 1 day, 42 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin"
CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of memory.
Processor board ID AMB07390HG6 (3499136320), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
router#
router#
router#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 10.0.0.254 YES manual up up
ATM0 unassigned YES NVRAM up up
ATM0.1 81.1.1.96 YES TFTP up up
Loopback0 81.1.1.96 YES NVRAM up up
router#
router#sh run
Building configuration...
Current configuration : 1737 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
logging queue-limit 100
enable password xxx
!
ip subnet-zero
!
!
ip inspect audit-trail
ip inspect max-incomplete low 50
ip inspect max-incomplete high 100
ip inspect one-minute low 50
ip inspect one-minute high 100
ip inspect name myfw cuseeme
ip inspect name myfw ftp
ip inspect name myfw rcmd
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw tftp
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw http java-list 11
ip inspect name myfw h323
ip inspect name myfw sqlnet
ip inspect name myfw vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Loopback0
ip address 81.1.1.96 255.255.255.255
!
interface Ethernet0
description Lan Internal
ip address 10.0.0.254 255.255.255.0
ip nat inside
load-interval 30
hold-queue 100 out
!
interface ATM0
bandwidth 192
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description "adsl connection number xxxxxx"
ip unnumbered Loopback0
ip access-group 101 in
ip nat outside
pvc provider 8/35
protocol ip 6.6.6.6
oam-pvc manage
encapsulation aal5snap
!
!
ip nat translation timeout 120
ip nat inside source list 10 interface Loopback0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1 6.6.6.6
no ip http server
no ip http secure-server
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 11 permit any
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password xxx
login
!
scheduler max-task-time 5000
!
end
router#
router#
router#sh ip int
ATM0 is up, line protocol is up
Internet protocol processing disabled
ATM0.1 is up, line protocol is up
Interface is unnumbered. Using address of Loopback0 (81.1.1.96)
Broadcast address is 255.255.255.255
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Ethernet0 is up, line protocol is up
Internet address is 10.0.0.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Loopback0 is up, line protocol is up
Internet address is 81.1.1.96/32
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
router#
Solved! Go to Solution.
12-11-2003 03:20 AM
You have access-list 10 and 11 defined, but not applied anyplace, and you have access list 101 applied, but not defined. What would be preventing anyone from telnetting to the router? Did you intend to apply access list 10 to the inbound vty sessions?
Russ.W
12-11-2003 03:20 AM
You have access-list 10 and 11 defined, but not applied anyplace, and you have access list 101 applied, but not defined. What would be preventing anyone from telnetting to the router? Did you intend to apply access list 10 to the inbound vty sessions?
Russ.W
12-11-2003 03:36 AM
The access-list 10 is applied on the NAT.
As you tell me the access-list 101 is applied on the ATM subinterface but non defined. (which tell permit any any)
Thanks for the reply
12-11-2003 06:18 AM
The commnad syntax you can use to protect telneting the router from the Internet is:
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
Cheers,
Mitko
12-11-2003 10:41 PM
See your running CBAC but its not defined on any interface - i.e
e0
ip inspect myfw
!
-Jeff
12-13-2003 03:38 AM
do you want to remove all telnet access from the router?
if so just remove the password from the line vty
do you want to restrict telnet from certain sources?
if so, configure on the line vty
access-class x in
transport input telnet
12-13-2003 03:42 AM
or even "to" the router
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide