Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
39
Helpful
7
Replies

vty access problem

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni

‎07-08-2008 02:08 AM - edited ‎03-03-2019 10:38 PM

I'm not sure if I stumble into a possible IOS bug of a certain IOS release for Catalyst Switch. I test other IOS release and don't see this problem. I look for similar problem in Cisco Security Center but I don't see any.

Here is the configuration...

!

ip access-list standard VTY

permit 192.168.1.1

!

line vty 0 4

access-class VTY in

exec-timeout 5 0

length 0

transport input ssh

line vty 5 15

I can login with the following.....

Application: Telnet

Source IP Address: Any IP Address except 192.168.1.1

Account: Any local user accounts

Line: 6 to 16 (which is vty 5 to 15)

The workaround I use...

!

line vty 5 15

access-class VTY in

Any idea how to totally block access to line 6 to 16?

TIA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to Danilo Dy

‎07-08-2008 03:18 AM

Hi Dandy,

Simply do "no exec" under these lines.

BR,

Mohammed Mahmoud.

View solution in original post

7 Replies 7

Go to solution
tomredmond
Level 1
Level 1

‎07-08-2008 02:21 AM

If you do not need those lines i.e. more than five simultaneous telnet/ssh sessions then I would remove them (no line vty 5 15) you can always reinstate them later.

Tom

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to tomredmond

‎07-08-2008 02:21 AM

You cannot remove them :)

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to Danilo Dy

‎07-08-2008 03:18 AM

Hi Dandy,

Simply do "no exec" under these lines.

BR,

Mohammed Mahmoud.

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to mohammedmahmoud

‎07-08-2008 03:41 AM

Thanks Mohammed, that works..

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to Danilo Dy

‎07-08-2008 03:59 AM

Dandy,

You are more than welcomed.

BR,

Mohammed Mahmoud.

Go to solution
is66rlhntadm
Level 1
Level 1
In response to mohammedmahmoud

‎07-08-2008 05:57 AM

I usualy just configure all the vty with

line vty 0 15

this way all 16 have the same restrictions

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to is66rlhntadm

‎07-08-2008 06:36 AM

Yes, but as I mentioned I only encountered this on one particular Catalyst Switch IOS.

This is because everytime I update/upgrade IOS, I use a tool to scan the device for any vulnerability. Sometime, you can just try it manually - as in this case I found out the problem when manually trying to telnet to the switch using an IP Address that is not in the ACL in line 1 to 5 (vty 0 4). I did not encounter this in other Catalyst Switch IOS. But of course I cannot test all release as I have other better things to do :) like playing COD4 (right now) and AAO (maybe later) :).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card