Telnet access when dialed through AS5300

dcoswald · ‎03-15-2002

I am trying to secure telnet access to my as5300 and I have applied an acl on the ethernet port only allowing access to specific ip addresses for telnet. I have found that when I am dialed in I can telnet to the as5300 regardless of the IP address that I have I have tried to apply access-class statements to the VTY line and also the dial lines 1 through 96 and I can still use telnet any suggestions

tepatel · ‎03-19-2002

We need to take a look on your config..Pl. post it here..Thx..Tejal

dcoswald · ‎03-20-2002

nexas5300-1>en

Password:

nexas5300-1#wr t

Building configuration...

Current configuration : 4470 bytes

!

version 12.2

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname nexas5300-1

!

no logging buffered

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login default group radius enable

aaa authentication ppp default group radius

aaa accounting network default start-stop group radius

enable password

!

spe 1/0 1/7

firmware location flash:mica-modem-pw.2.7.2.0.bin

!

resource-pool disable

!

call rsvp-sync

ip subnet-zero

no ip finger

no ip domain-lookup

!

no ip dhcp-client network-discovery

modemcap entry 2720:TPL=FD=&F\:AA=S0=1\:MSC=AT&FS29=4S30=2400S31=30

modemcap entry nextest:TPL=FD=&F\:AA=S0=1\:MSC=S29=4S30=2400S31=300S39=11S32=3

!

fax interface-type modem

mta receive maximum-recipients 0

!

controller T1 0

framing esf

clock source line primary

linecode b8zs

ds0-group 0 timeslots 1-24 type e&m-fgb

cas-custom 0

!

controller T1 1

shutdown

framing esf

clock source line secondary 1

linecode b8zs

!

controller T1 2

shutdown

framing esf

clock source line secondary 2

linecode b8zs

!

controller T1 3

shutdown

framing esf

clock source line secondary 3

linecode b8zs

!

controller T1 4

shutdown

framing esf

clock source line secondary 4

linecode b8zs

!

controller T1 5

shutdown

framing esf

clock source line secondary 5

linecode b8zs

!

controller T1 6

shutdown

framing esf

clock source line secondary 6

linecode b8zs

!

controller T1 7

shutdown

framing esf

clock source line secondary 7

linecode b8zs

!

interface Ethernet0

no ip address

shutdown

!

interface Serial0

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface Serial1

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface Serial2

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface Serial3

no ip address

shutdown

no fair-queue

clockrate 2015232

!

interface FastEthernet0

ip address 172.16.9.30 255.255.255.0

ip access-group 105 in

no ip mroute-cache

duplex auto

speed auto

!

interface Group-Async1

ip unnumbered FastEthernet0

encapsulation ppp

ip tcp header-compression

no ip mroute-cache

async mode interactive

peer default ip address dhcp

ppp authentication pap

group-range 1 96

!

interface Dialer1

ip unnumbered FastEthernet0

encapsulation ppp

dialer pool 10

ppp authentication pap

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.9.1

ip route 172.16.2.0 255.255.255.0 FastEthernet0

no ip http server

!

access-list 105 permit tcp host 172.16.9.2 host 172.16.9.30 eq telnet

access-list 105 permit tcp host 172.16.9.3 host 172.16.9.30 eq telnet

access-list 105 permit tcp host 172.16.9.119 host 172.16.9.30 eq telnet

access-list 105 permit udp host 172.16.9.119 host 172.16.9.30 eq snmp

access-list 105 permit udp host 172.16.2.19 host 172.16.9.30 eq snmp

access-list 105 deny udp any host 172.16.9.30 eq snmp

access-list 105 deny tcp any host 172.16.9.30 eq telnet

access-list 105 permit ip any any

dialer-list 1 protocol ip permit

snmp-server community

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps calltracker

snmp-server enable traps modem-health

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps aaa_server

snmp-server enable traps bgp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps rtr

snmp-server enable traps syslog

snmp-server enable traps dlsw

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps voice poor-qov

snmp-server enable traps xgcp

snmp-server host 172.16.2.19

snmp-server host 172.16.9.119

!

radius-server host 172.16.2.9 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key

!

line con 0

exec-timeout 0 0

password

transport input none

line 1 96

modem InOut

modem autoconfigure type 2720

transport input all

autoselect ppp

line aux 0

line vty 0 4

password

!

end

dcoswald · ‎03-20-2002

I put a copy of my config out there

tepatel · ‎03-20-2002

Try to put the "ip access-group 105 in" under the interface group-async 1..This should work.Thx..Tejal

dcoswald · ‎03-21-2002

Thanks, I decided to use authorization and accounting with my tacacs server and that resolved the access issue.