Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to secure telnet access using access-list?

Status
Not open for further replies.
ase2dais

ase2dais

Technical User
Joined
Dec 21, 2001
Messages
58
Location
US
Hello gang!

Its been a while, but can some help me refresh using access-list to apply to E0, so no-one can access the
gateway router from the real-world.

I have notice some unsual events, at some late and wierd hours that prompts me to do this ASAP.

Any help is appreciated.

Ase
 
Sort by date Sort by votes
Any VTY should be configured to accept connections only with the protocols actually needed. This is done with the transport input command. For example, a VTY that was expected to receive only Telnet sessions would be configured with transport input telnet, while a VTY permitting both Telnet and SSH sessions would have transport input telnet ssh. If your software supports an encrypted access protocol such as SSH, it may be wise to enable only that protocol, and to disable cleartext Telnet. It's also usually a good idea to use the ip access-class command to restrict the IP addresses from which the VTY will accept connections:

aaa new-model
aaa authentication login Cisco-Lab local
!
username Cisco1 password 7 11041811051B13
!
access-list 3 permit 215.17.1.0 0.0.0.255
access-list 3 permit 215.17.34.0 0.0.0.255
access-list 3 deny any
!
line vty 0 4
access-class 3 in
exec-timeout 5 0
transport input telnet ssh
transport output none
transport preferred none
login authentication Cisco-Lab
history size 256
!
Access-list 3 defines a network 215.17.1/24 and 215.17.34/24 as the only networks with access to these vtys (these networks could be the administration or NOC networks at two locations, for example).
An ACL that will provide more accurate auditing is listed below:
access-list 199 permit tcp 215.17.1.0 0.0.0.255 any log
access-list 199 permit tcp 215.17.34.0 0.0.0.255 any log
access-list 199 deny tcp any any range 0 65535 log
access-list 199 deny ip any any log
regards,
Alain
CCDA/CCNA
 
Upvote 0 Downvote
Alain,

thks for the very detailed comprehensive reply, but first things first.

since I have inherited an old 2500 series router from our
ISP, it came with IOS 11.x.

What IOS comes with SSH support?

and if 11.x IOS does support, it can we just pretty much
cut and paste these commands you have provided.

just trying to make life simple since, there's alot of stuff on my plate.

I'll read up on the .pdf file you have sent also.


 
Upvote 0 Downvote
> What IOS comes with SSH support?

The SSH server requires you to have an IPSec (DES or 3DES) encryption software image from Cisco IOS Release 12.1(1)T downloaded on your router; the SSH client requires you to have an IPSec (DES or 3DES) encryption software image from Cisco IOS Release 12.1(3)T downloaded on your router.

In your case, upgrading IOS would likely mean purchasing additional Flash and DRAM. Check out the release notes for the desired version of IOS and its requirements.

Else, go for the Telnet solution (with access-list applied as described in the pdf.). This is what most people use.

Something like:
access-list 3 permit 192.168.0.0 0.0.0.255 (all 192.168.0.x hosts are permitted)

line vty 0 4
access-class 3 in
exec-timeout 5 0







regards,
Alain
CCDA/CCNA
 
Upvote 0 Downvote
I investigated the IOS compatibility issue, and sure enough
11.x is way to old, and the fact of the matter is, 2500 series are way too old.

but to make good with what I have, I went to ebay and
bidded two Flash memory.

Now, Why do I need DRAM ?
Would DES be that much of an overhead and necessary ?

... and reading the PDF file you mentioned, it was worth noting partition the flash of both old and new IOS, for fail-sage install.

Theres alot to chew, from here on, but I guess one access-list entry may me enough. An access-list that deny anyone
from the outside going to my router outside ip address, as their destination and telnet port.

.. apply it at the E0 inbound, or something.
the specific is whats getting me, "don't use it, loose it" syndrome.

but you are keeping fire under my seat though, w/c is good.


ase

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
520
DavetheChef
DavetheChef
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
795
madwok
madwok
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
401
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
556
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
572
Luzbel
Luzbel

Part and Inventory Search

Sponsor

Back
Top