03-15-2002 07:35 AM - edited 03-08-2019 10:04 PM
I am trying to secure telnet access to my as5300 and I have applied an acl on the ethernet port only allowing access to specific ip addresses for telnet. I have found that when I am dialed in I can telnet to the as5300 regardless of the IP address that I have I have tried to apply access-class statements to the VTY line and also the dial lines 1 through 96 and I can still use telnet any suggestions
03-19-2002 09:18 PM
We need to take a look on your config..Pl. post it here..Thx..Tejal
03-20-2002 05:36 AM
nexas5300-1>en
Password:
nexas5300-1#wr t
Building configuration...
Current configuration : 4470 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname nexas5300-1
!
no logging buffered
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default group radius enable
aaa authentication ppp default group radius
aaa accounting network default start-stop group radius
enable password
!
spe 1/0 1/7
firmware location flash:mica-modem-pw.2.7.2.0.bin
!
!
resource-pool disable
!
call rsvp-sync
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
modemcap entry 2720:TPL=FD=&F\:AA=S0=1\:MSC=AT&FS29=4S30=2400S31=30
modemcap entry nextest:TPL=FD=&F\:AA=S0=1\:MSC=S29=4S30=2400S31=300S39=11S32=3
!
!
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
ds0-group 0 timeslots 1-24 type e&m-fgb
cas-custom 0
!
controller T1 1
shutdown
framing esf
clock source line secondary 1
linecode b8zs
!
controller T1 2
shutdown
framing esf
clock source line secondary 2
linecode b8zs
!
controller T1 3
shutdown
framing esf
clock source line secondary 3
linecode b8zs
!
controller T1 4
shutdown
framing esf
clock source line secondary 4
linecode b8zs
!
controller T1 5
shutdown
framing esf
clock source line secondary 5
linecode b8zs
!
controller T1 6
shutdown
framing esf
clock source line secondary 6
linecode b8zs
!
controller T1 7
shutdown
framing esf
clock source line secondary 7
linecode b8zs
!
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
shutdown
no fair-queue
clockrate 2015232
!
interface FastEthernet0
ip address 172.16.9.30 255.255.255.0
ip access-group 105 in
no ip mroute-cache
duplex auto
speed auto
!
interface Group-Async1
ip unnumbered FastEthernet0
encapsulation ppp
ip tcp header-compression
no ip mroute-cache
async mode interactive
peer default ip address dhcp
ppp authentication pap
group-range 1 96
!
interface Dialer1
ip unnumbered FastEthernet0
encapsulation ppp
dialer pool 10
ppp authentication pap
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.9.1
ip route 172.16.2.0 255.255.255.0 FastEthernet0
no ip http server
!
access-list 105 permit tcp host 172.16.9.2 host 172.16.9.30 eq telnet
access-list 105 permit tcp host 172.16.9.3 host 172.16.9.30 eq telnet
access-list 105 permit tcp host 172.16.9.119 host 172.16.9.30 eq telnet
access-list 105 permit udp host 172.16.9.119 host 172.16.9.30 eq snmp
access-list 105 permit udp host 172.16.2.19 host 172.16.9.30 eq snmp
access-list 105 deny udp any host 172.16.9.30 eq snmp
access-list 105 deny tcp any host 172.16.9.30 eq telnet
access-list 105 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps calltracker
snmp-server enable traps modem-health
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps aaa_server
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps dlsw
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps voice poor-qov
snmp-server enable traps xgcp
snmp-server host 172.16.2.19
snmp-server host 172.16.9.119
!
radius-server host 172.16.2.9 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key
!
!
line con 0
exec-timeout 0 0
password
transport input none
line 1 96
modem InOut
modem autoconfigure type 2720
transport input all
autoselect ppp
line aux 0
line vty 0 4
password
!
end
03-20-2002 08:57 AM
I put a copy of my config out there
03-20-2002 05:27 PM
Try to put the "ip access-group 105 in" under the interface group-async 1..This should work.Thx..Tejal
03-21-2002 05:24 AM
Thanks, I decided to use authorization and accounting with my tacacs server and that resolved the access issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: