04-28-2003 06:20 AM - edited 03-02-2019 06:57 AM
I would like to ensure that my modems are only used for dial-in access to my network and prevent any dial-out functionality. I did have the "modem InOut" command configured on my lines but when I removed that, I could still reverse telnet to a modem and dial out by issuing an atdt command.
I have both 5200's and 5300's. Thank You!
04-28-2003 06:46 AM
Add "modem dialin" under the lines if you want user to get only dial in access into the as5xxx.
Thanks, Mak.
04-28-2003 07:24 AM
Thanks for your reply, Mak. I tried adding "modem dialin" under the lines and then reloaded the access server but, for some reason, I could still reverse telnet to a line and could then dial out using atdt command.
Mark
04-28-2003 08:52 AM
With "modem dialin" uner the line, the AS shouldn't allow you to even reverse telnet to the modem. You can enter command for reverse telnet but the session will be disconnected or closed next second.
So make sure to enter "modem dialin" and issue "clear line x" and then reverse telnet after that. If still no luck, need to see the config under the line on which you are trying to attempt the reverse telnet session.
04-28-2003 09:31 AM
Thank you for your response. Below I have pasted pertinent parts of my configuration (sanitized). I have "modem dialin" for all my lines (1 thru 96). I picked one at random (line 9), cleared the line, connected to it with reverse telnet, and after authenticating I placed a call to the Cisco Dial-up lab in San Jose:
(hostname)#show config
!
!
!
interface FastEthernet0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
!
line 1 96
session-timeout 10 output
exec-timeout 1 0
autoselect during-login
autoselect ppp
absolute-timeout 240
login authentication users
modem Dialin
modem autoconfigure type mica_new
transport preferred pad telnet rlogin udptn
transport input all
transport output pad telnet rlogin udptn
end
(hostname)#clear line 9
[confirm]y [OK]
(hostname)#telnet 10.1.1.1 2009
Trying 10.1.1.1, 2009 ... Open
(Banner Removed)
User Access Verification
Username:(removed)
Password:
Access Permitted
at
OK
atdt1,4085703932
CONNECT 31200 /V.42/V.42bis
Welcome! Please login with username cisco, password
cisco, and type the appropriate commands for your test:
ppp - to start ppp
slip - to start slip
arap - to start arap
Please e-mail comments about this service to dpeng@cisco.com.
customer-dialin-sj line 5 Microcom V.90 modems
User Access Verification
Username: cisco
Password:
customer-dialin-sj>exit
04-28-2003 10:17 AM
CSCdt11058 "modem dialin on a line does not prevent reverse telnet" was filed coz ideally only with "modem dialin" it should not let a reverse telnet.
IOS Modem Control Scaling changes in the code now should permit this, I tried in my lab as5300 with 12.1 & 12.2 & it worked....what IOS image are you presently running?
Thanks, Mak.
04-28-2003 10:34 AM
Perhaps an IOS upgrade is in order - this particular box is an AS5300 running 12.0(7)T. Thanks very much for your help!
Mark
04-28-2003 11:39 PM
I dont think you need IOS upgrade. Its the job of "transport input" command to let you rev telnet into a modem. So if you have "transport input all" under the tty lines , pls remove that if you do not want to be able to rev telnet into them.
~Zulfi
04-29-2003 06:23 AM
Thanks! That solved my issue. And thanks to all who replied to my original post.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: