Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

VPN IOS login local and telnet

Hello,

I am using the document "Configuring Cisco VPN Client 3.x for windowns to IOS Using Local Extended Authentication" to test a remote access to internal LAN.

Everything works fine but when I define the users:

username usuario1 password 0 password

these users can do a telnet to the device.

I have tried with privilege 0 but it doesn't work. Can anyone help me?

4 REPLIES
Cisco Employee

Re: VPN IOS login local and telnet

Hi,

How are you assigning IP Address to the VPN Client. That is, how is your vpn pool of ip addresses configured. One quick way to deny telnet access is to configure an ACL only for your internal network to access the router via telnet.

For example:

If 192.168.1.0/24 is your internal network, then:

access-list 1 permit 192.168.1.0 0.0.0.255

line vty 0 4

access-class 1 in

This will allow only users from 192.168.1.x/24 to access the router via line vty 0 4.

The above is also a best practice because it is an additional layer of security of which network had access to the router.

Regards,

Arul

*Pls rate if it helps*

Re: VPN IOS login local and telnet

Hello,

yes, I have an acl protection but

It is amazing that anyone can be accessed at the local router. Depend on scenario the ACL protection can't be enough.

Cisco Employee

Re: VPN IOS login local and telnet

I totally agree with you that ACL protection is not enough, if u refer my previous post that is what I told you as well :-)) ACL is just another layer of protection.

Also, What do you mean when you say you have ACL protection but anyone can access the router. Are you saying that you have applied the ACL to the VTY Lines and still users can access the router?

Can you post the configuration from the router.

Regards,

Arul

Re: VPN IOS login local and telnet

Hello,

as you see there are two users: admin and master. Master is the user that should be able to a telnet to the device. But if you do a telnet and type "admin" and its password, you can access too.

I think try to move users to a radius, but the number of users than are going to use the VPN access is very little. So I would prefer local login instead radius login.

version 12.3

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname Terminator

!

boot-start-marker

boot-end-marker

!

! card type command needed for slot 2

enable secret 5 XXXXXXXXXXXXXXXXXXX

!

clock timezone MET 1

clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 2:00

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

username master password XXXXXXXXX

username admin password XXXXXXXXXXX

!

!

!

!

crypto isakmp policy 3

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group integra-client

key XXXXXXXX

dns 192.168.0.1

wins 192.168.0.1

domain f-integra.org

pool integra-pool

acl integra-acl

!

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0/0

ip address 10.2.254.249 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet0/1

ip address X.X.X.X 255.255.255.240

duplex auto

speed auto

crypto map clientmap

!

ip local pool integra-pool 10.254.254.1 10.254.254.31

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip route 10.0.0.0 255.128.0.0 10.2.254.254

ip route 172.16.0.0 255.240.0.0 10.2.254.254

ip route 192.168.0.0 255.255.0.0 10.2.254.254

!

!

!

ip access-list extended integra-acl

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

!

access-list 99 permit Y.Y.Y.Y

access-list 99 permit 192.168.0.0 0.0.0.255

access-list 99 deny any

!

!

!

!

!

!

!

!

!

!

line con 0

transport output all

line aux 0

transport output all

line vty 0 4

access-class 99 in

password 7 13061E010803

transport input all

transport output all

!

end

214
Views
0
Helpful
4
Replies
CreatePlease to create content