Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Telnet access when dialed through AS5300

I am trying to secure telnet access to my as5300 and I have applied an acl on the ethernet port only allowing access to specific ip addresses for telnet. I have found that when I am dialed in I can telnet to the as5300 regardless of the IP address that I have I have tried to apply access-class statements to the VTY line and also the dial lines 1 through 96 and I can still use telnet any suggestions

  • Other Security Subjects
5 REPLIES
Cisco Employee

Re: Telnet access when dialed through AS5300

We need to take a look on your config..Pl. post it here..Thx..Tejal

New Member

Re: Telnet access when dialed through AS5300

nexas5300-1>en

Password:

nexas5300-1#wr t

Building configuration...

Current configuration : 4470 bytes

!

version 12.2

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname nexas5300-1

!

no logging buffered

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login default group radius enable

aaa authentication ppp default group radius

aaa accounting network default start-stop group radius

enable password

!

spe 1/0 1/7

firmware location flash:mica-modem-pw.2.7.2.0.bin

!

!

resource-pool disable

!

call rsvp-sync

ip subnet-zero

no ip finger

no ip domain-lookup

!

no ip dhcp-client network-discovery

modemcap entry 2720:TPL=FD=&F\:AA=S0=1\:MSC=AT&FS29=4S30=2400S31=30

modemcap entry nextest:TPL=FD=&F\:AA=S0=1\:MSC=S29=4S30=2400S31=300S39=11S32=3

!

!

!

!

!

fax interface-type modem

mta receive maximum-recipients 0

!

!

controller T1 0

framing esf

clock source line primary

linecode b8zs

ds0-group 0 timeslots 1-24 type e&m-fgb

cas-custom 0

!

controller T1 1

shutdown

framing esf

clock source line secondary 1

linecode b8zs

!

controller T1 2

shutdown

framing esf

clock source line secondary 2

linecode b8zs

!

controller T1 3

shutdown

framing esf

clock source line secondary 3

linecode b8zs

!

controller T1 4

shutdown

framing esf

clock source line secondary 4

linecode b8zs

!

controller T1 5

shutdown

framing esf

clock source line secondary 5

linecode b8zs

!

controller T1 6

shutdown

framing esf

clock source line secondary 6

linecode b8zs

!

controller T1 7

shutdown

framing esf

clock source line secondary 7

linecode b8zs

!

!

interface Ethernet0

no ip address

shutdown

!

interface Serial0

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface Serial1

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface Serial2

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface Serial3

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface FastEthernet0

ip address 172.16.9.30 255.255.255.0

ip access-group 105 in

no ip mroute-cache

duplex auto

speed auto

!

interface Group-Async1

ip unnumbered FastEthernet0

encapsulation ppp

ip tcp header-compression

no ip mroute-cache

async mode interactive

peer default ip address dhcp

ppp authentication pap

group-range 1 96

!

interface Dialer1

ip unnumbered FastEthernet0

encapsulation ppp

dialer pool 10

ppp authentication pap

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.9.1

ip route 172.16.2.0 255.255.255.0 FastEthernet0

no ip http server

!

access-list 105 permit tcp host 172.16.9.2 host 172.16.9.30 eq telnet

access-list 105 permit tcp host 172.16.9.3 host 172.16.9.30 eq telnet

access-list 105 permit tcp host 172.16.9.119 host 172.16.9.30 eq telnet

access-list 105 permit udp host 172.16.9.119 host 172.16.9.30 eq snmp

access-list 105 permit udp host 172.16.2.19 host 172.16.9.30 eq snmp

access-list 105 deny udp any host 172.16.9.30 eq snmp

access-list 105 deny tcp any host 172.16.9.30 eq telnet

access-list 105 permit ip any any

dialer-list 1 protocol ip permit

snmp-server community

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps calltracker

snmp-server enable traps modem-health

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps aaa_server

snmp-server enable traps bgp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps rtr

snmp-server enable traps syslog

snmp-server enable traps dlsw

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps voice poor-qov

snmp-server enable traps xgcp

snmp-server host 172.16.2.19

snmp-server host 172.16.9.119

!

radius-server host 172.16.2.9 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key

!

!

line con 0

exec-timeout 0 0

password

transport input none

line 1 96

modem InOut

modem autoconfigure type 2720

transport input all

autoselect ppp

line aux 0

line vty 0 4

password

!

end

New Member

Re: Telnet access when dialed through AS5300

I put a copy of my config out there

Cisco Employee

Re: Telnet access when dialed through AS5300

Try to put the "ip access-group 105 in" under the interface group-async 1..This should work.Thx..Tejal

New Member

Re: Telnet access when dialed through AS5300

Thanks, I decided to use authorization and accounting with my tacacs server and that resolved the access issue.

175
Views
0
Helpful
5
Replies