03-21-2006 06:39 AM - edited 03-04-2019 03:08 AM
I have a 1721 that i use for an interet router. I dont want to allow telnet access or to be able to ping the interface. Is this the right config> and if so where do i add the access list? to the serial Interface?
Thanks,
Solved! Go to Solution.
03-21-2006 09:14 AM
03-21-2006 08:45 AM
Joseph
I have looked at the config that you posted and I have a couple of comments which may help provide the answer that you want.
I see that your default route points out the FastEthernet interface which implies that it is the Internet facing interface. Is that true? If so you would most likely want to assign the access list to the Fast Ethernet interface.
What would be the result if someone telnetted to 2.2.2.2?
I might suggest a different approach to solving the issue of telnet. Instead of an access list on an interface to control telnet you might consider using the access-class on the vty ports to control it. You could create an access list which permits the addresses (or address ranges) which you do want to be able to telnet and implicitly deny everyone else and apply that access list with access-class. Then it does not matter which interface the request comes in and does not matter what address they are telnetting to. It only matters if the source address is permitted to telnet to this router.
And there is another possible alternative to consider. Do you want people to be able to telnet to the router at all? Many enterprises will disable telnet to the Internet edge router. You can force access to the router to be via the console by configuring no exec on each of the vty ports if you just do not want telnet to the router at all.
HTH
Rick
03-21-2006 08:57 AM
No i dont want anyone to telnet to it. so can i just do this
config t
line vty 0 4
no exec
Is that it?
03-21-2006 09:14 AM
Joseph
That will prevent any telnet to the router.
HTH
Rick
03-21-2006 09:19 AM
Thank you sir!
03-21-2006 09:32 AM
Hi There,
Your on the right road.. Do you want to defend your network behind interface S0 or just the router for telnet access? If it's the router you need this command to attach an access list to vty0 4(telnet access).
!
line vty 0 4
login local
access-class 101 in
transport input telnet
transport output all
!
access-list 101 permit tcp host WW.XX.YY.ZZ any eq telnet
access-list 101 deny ip any any
!
This should prevent access by telnet from any hosts except ones you specify. I.e WW.XX.YY.ZZ
Also, You may want to add this line to your access list to stop people pinging the S0 also.
access-list 102 deny icmp any host 1.1.1.1
access-list 102 deny icmp any host 2.2.2.2
access-list 102 permit ip any any
Then apply it to the S0 interface:
router#(config-if)ip access-group 102 in
The above should stop people pinging/telneting to the router. However,
I seriously recommend using a Firewall&NAT'd config on your router... If you dont already have a stand alone device that is? If you don't have too much experience you could use the routers web gui. If your router and IOS version isnt too old. There is plenty of info on CCO regarding NAT&Firewall setups.
type router#(config)ip http server
Now just web browse to the routers ip address... Don't forget that if you leave this function turned on you'll need to lock it down in your access-list 101 also.
EG..
access-list 102 deny tcp any host 1.1.1.1 eq 80
access-list 102 deny tcp any host 2.2.2.2 eq 80
access-list 102 deny icmp any host 1.1.1.1
access-list 102 deny icmp any host 2.2.2.2
access-list 102 permit ip any any
Hope this helps!!
Regards
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide