Solved: Re: Need to disable Telnet on a router

jcleary · ‎03-21-2006

I have a 1721 that i use for an interet router. I dont want to allow telnet access or to be able to ping the interface. Is this the right config> and if so where do i add the access list? to the serial Interface?

Thanks,

Richard Burts · ‎03-21-2006

Joseph

That will prevent any telnet to the router.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-21-2006

Joseph

I have looked at the config that you posted and I have a couple of comments which may help provide the answer that you want.

I see that your default route points out the FastEthernet interface which implies that it is the Internet facing interface. Is that true? If so you would most likely want to assign the access list to the Fast Ethernet interface.

What would be the result if someone telnetted to 2.2.2.2?

I might suggest a different approach to solving the issue of telnet. Instead of an access list on an interface to control telnet you might consider using the access-class on the vty ports to control it. You could create an access list which permits the addresses (or address ranges) which you do want to be able to telnet and implicitly deny everyone else and apply that access list with access-class. Then it does not matter which interface the request comes in and does not matter what address they are telnetting to. It only matters if the source address is permitted to telnet to this router.

And there is another possible alternative to consider. Do you want people to be able to telnet to the router at all? Many enterprises will disable telnet to the Internet edge router. You can force access to the router to be via the console by configuring no exec on each of the vty ports if you just do not want telnet to the router at all.

HTH

Rick

HTH

Rick

jcleary · ‎03-21-2006

No i dont want anyone to telnet to it. so can i just do this

config t

line vty 0 4

no exec

Is that it?

Richard Burts · ‎03-21-2006

Joseph

That will prevent any telnet to the router.

HTH

Rick

HTH

Rick

jcleary · ‎03-21-2006

Thank you sir!

Matthew Needs · ‎03-21-2006

Hi There,

Your on the right road.. Do you want to defend your network behind interface S0 or just the router for telnet access? If it's the router you need this command to attach an access list to vty0 4(telnet access).

!

line vty 0 4

login local

access-class 101 in

transport input telnet

transport output all

!

access-list 101 permit tcp host WW.XX.YY.ZZ any eq telnet

access-list 101 deny ip any any

!

This should prevent access by telnet from any hosts except ones you specify. I.e WW.XX.YY.ZZ

Also, You may want to add this line to your access list to stop people pinging the S0 also.

access-list 102 deny icmp any host 1.1.1.1

access-list 102 deny icmp any host 2.2.2.2

access-list 102 permit ip any any

Then apply it to the S0 interface:

router#(config-if)ip access-group 102 in

The above should stop people pinging/telneting to the router. However,

I seriously recommend using a Firewall&NAT'd config on your router... If you dont already have a stand alone device that is? If you don't have too much experience you could use the routers web gui. If your router and IOS version isnt too old. There is plenty of info on CCO regarding NAT&Firewall setups.

type router#(config)ip http server

Now just web browse to the routers ip address... Don't forget that if you leave this function turned on you'll need to lock it down in your access-list 101 also.

EG..

access-list 102 deny tcp any host 1.1.1.1 eq 80

access-list 102 deny tcp any host 2.2.2.2 eq 80

access-list 102 deny icmp any host 1.1.1.1

access-list 102 deny icmp any host 2.2.2.2

access-list 102 permit ip any any

Hope this helps!!

Regards

Matt