Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Disable access to router...only console access needed. 2

Status
Not open for further replies.
summoner

summoner

Technical User
Sep 28, 2002
105
US
Hello:

I am tryhing to disable a cisco 1720's ability to be accessed remotely. We are interested only in accessing the router via the console connection (cisco rollover cable to a serial port). We do not use the auxillary connection and want to disable remote telnet access.

The portion of my "show run" that deals with this sort of thing:

Code: 
line con 0
 password ######
 login
 transport preferred none
line aux 0
 password ########
 login
 transport preferred none
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password #######
 login
 transport preferred none
 transport input none

I tried disabling the VTY lines and wasn't able to do so. Any ideas? Thanks in advance.
 
Sort by date Sort by votes
You could make an access control list or simply remove the password from the vty lines...
router>en
router#conf t
router(config)#line vty 0 4
router(config-line)#no login
router(config-line)#no password xxxxxx
router(config-line)#end
router#wr
That's the easiest way. Let me know if you want to do the acl way...

Burt
 
Upvote 0 Downvote
ahh ok...I was trying to enter a command like:

router(config)#no line vty 0 4

and i was getting errors. I'll try this and let you know.
 
Upvote 0 Downvote
You could make an access control list or simply remove the password from the vty lines...
router>en
router#conf t
router(config)#line vty 0 4
router(config-line)#no login
router(config-line)#no password xxxxxx
router(config-line)#end
router#wr
That's the easiest way. Let me know if you want to do the acl way...

Burt
Click to expand...

Are you sure Burt?.............

That's going to allow access to the vty lines without any authentication (the 'no login' bit).

This works though:

Code: 
line vty 0 4
 transport input none

HTH

Andy
 
Upvote 0 Downvote
No. Removing the password from a VTY line disables remote access to that line. It does not allow someone to enter without authentication. Anyone trying to access that line will get the error message "Password required, but none set." or something to that effect.
 
Upvote 0 Downvote
No. Removing the password from a VTY line disables remote access to that line. It does not allow someone to enter without authentication. Anyone trying to access that line will get the error message "Password required, but none set." or something to that effect.
Click to expand...

Not if you also add the line 'no login', this removes the login from the line and allows you to automatically be presented with the console prompt >

Try it and see..... I use this all the time when setting stuff up, it speeds things up until you are ready to implement your AAA or local authentication etc.

Andy
 
Upvote 0 Downvote
Sure, I understand that. I was just pointing out that simply removing the password will not allow unauthenticated access.
 
Upvote 0 Downvote
Whoops...really? Hmmm...so if he leaves the login statement there, but simply removes the password, it would work? You wouldn't think so, because originally the login statement is not there, yet you get the error"Password needed, but none set"

Burt
 
Upvote 0 Downvote
In that case, the login statement was probably the default. I'm not sure about that. But what you said is true: if "no login" is applied then unauthenticated access is allowed. However, if "login" is configured (or the default), then removing the password is enough to deny terminal access.
 
Upvote 0 Downvote
apparently...hang on...I'll try...
Man---consoling to one of my 2924's (the one I use) just locked it up!!! Stupid PuTTy...lemme try HyperCrash...I mean, Hyperterminal...
Well I'll be...
Cat2924>en
Cat2924#conf t
Cat2924(config)#line vty 0 4
Cat2924(config-line)#no login
This does let me telnet without having to use a password, but the enable password prevents me from getting to the priveleged exec prompt w/o a password...
Cat2924(config-line)#no pass
This gives me the error "Password set, but none required"
I actually now remember another post here in Tek-Tips about this...thanks Andy...here's another star bro.

Burt

 
Upvote 0 Downvote
Interesting...turns out the switch locked every time with the console cable plugged in...anyone else ever have this problem?
I would power cycle the switch, and it came up okay once, and I tried PuTTy and it worked fine. I closed PuTTy, and it locked up about a minute later...I power cycled the switch three other times, no dice---still all the lights lit and once only the interface lights that have something plugged in lit, but steady---unresponsive. It occurred to me to unplug the console cable and power cycle it again---it's been fine now...weird.

Burt
 
Upvote 0 Downvote
If you set the 'transport input none' then you can't even telnet/SSH to the switch; there is no response. Which in my book is much more secure - if it responds then there is potential for attack...

HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
216
badwolf1686
B
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
335
CPM86
CPM86
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
403
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
566
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
477
nt8d09
nt8d09

Part and Inventory Search

Sponsor

Back
Top