Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing Telnet

Status
Not open for further replies.
bas95

bas95

Technical User
Aug 22, 2002
31
NL
Hello,

Cisco 2610 with IOS 12.07, 1 serial interface, 1 ethernet. Used for internet access.

How can I disable telnet session on the serial and ethernet
interface. So the only way to configure this router is by using the console port.

Regards,

Bastiaan van Utrecht

 
Sort by date Sort by votes
All telnet access is controlled by the VTY lines.

conf t
#line vty 0 4
#no login

This should stop any telet access to Ethernet or serial interface.

Cheers

Mark
 
Upvote 0 Downvote
I changed the configuration.. as you suggested.

But the line "no login" give access to the router without
logging in. So better use login...

Is there a better way to secure the VTY lines..??

Regards,


Bastiaan van utrecht

 
Upvote 0 Downvote
configuring no login on the vty lines should restrict access to those lines. Also, if there is no password configured on the vty line, telnet access should be blocked as well. YOu should get the message: password required, but none set.

You might want to make sure that there haven't been more VTY lines set up. By default, there are only 5, numbered 0 - 4. But more can be configured (check with show line command).

Other than that if you still want to allow telnet access but just secure it, do the following:

create an access-list that will permit/deny the required addresses. On the VTY line apply the access-list with the access-class command.

access-list 1 permit 10.0.0.0 0.255.255.255
line vty 0 4
access-class 1 in Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com
 
Upvote 0 Downvote
Sorry, you are correct about the "no login" command. (I don't know what I was thinking)

The access-class command will enable you to permit / deny traffic as Erik says.

To stop all traffic and make the vty unusable.

access-list 1 deny any
line vty 0 4
access-class 1

Cheers

Mark
PS I tried to delete the vty lines from the config but the 2950 will not do it.
PPS Make sure you cover ALL vty lines. There are usually 2 groups , 0-4 and 5-15.
 
Upvote 0 Downvote
I had changed our configuration and I had a good feeling about the situation now.

Thanks a lot,

Bastiaan van Utrecht

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DarthPanda
  • Locked
  • Question
No Telnet after NAT outside
Replies
2
Views
255
DarthPanda
DarthPanda
hortonhearsawho
  • Locked
  • Question
telnet stopped working
Replies
6
Views
274
VinceWhirlwind
VinceWhirlwind
disturbedone
  • Locked
  • Question
Securing VLAN so it has limited access
Replies
1
Views
176
imbadatthis
imbadatthis
jamser
  • Locked
  • Question
Telnet Trouble
Replies
2
Views
115
dgrizzard
dgrizzard
saharac
  • Locked
  • Question
Cannot telnet to switch from PC
Replies
4
Views
219
vipergg
vipergg

Part and Inventory Search

Sponsor

Back
Top