We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Cisco 1720 - Disable Telnet on Serial Interface

Medium Priority
2,437 Views
Last Modified: 2013-11-16
I'm not a Cisco newb but I'm no expert either.

I'm running a Cisco 1720 (IOS 12.2(40) no PIX, no 3DES support) rouer with 1 WIC-DSU-CSU card to service a T1.  It's fully configured and working like a champ except for 1 security issue I need to resolve.

I need to be able to telnet to the device via FastEthernet0 (from my LAN only).  I also need to be able to still dial-in to the AUX port (setup and working now).  And lastly I obviously still need Console Access.

What I do not want is for anyone to connect via Telnet via the Serial (WAN) interface.  In otherwords I need to connect to FastEthenet0 IP only and the source packet must be coming from my LAN, not the internet.

If this is not possilbe then please let me know and I will just disable line vty 0 4 all together.  Copy of my sho run below with some stuff left out for obvious reasons.
Current configuration : 987 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname AFV
!
enable secret 5 $1$YxiB$7l8AlVjPeJlovFyCHAXUW.
!
memory-size iomem 25
ip subnet-zero
ip domain-name somedomain.com
!
!
!
!
interface FastEthernet0
 description TWTWAN
 ip address 0.0.0.0 255.255.255.252
 speed auto
 full-duplex
!
interface Serial0
 description TWT WAN
 ip address 0.0.0.0 255.255.255.252
 encapsulation ppp
 no fair-queue
 service-module t1 timeslots 1-24
!
ip default-gateway 192.168.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.195.233.9
no ip http server
!
!
line con 0
 password 7 132511042B00080A28277B7771
 logging synchronous
 login
line aux 0
 password 7 0226024D2B0A03014F4D5A5D41
 login
 modem InOut
transport input all
 speed 115200
 flowcontrol hardware
line vty 0 4
 password 7 0226024D2B0A03014F4D5A5D41
 login
line vty 5 15
 password 7 15320D1A242627042B30666657
 login
!
end

Open in new window

Comment
Watch Question

Top Expert 2009
Commented:
Add an access-list to the VTY lines:

conf t
access-list 10 permit x.x.x.0 0.0.0.255   <--your LAN

line vty 0 15
access-class 10 in

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
You need to configure the following


access-list 10 permit ip.ip.ip.ip  mask.mask.mask.mask
!where ip.ip.ip.ip = your internal network
line vty 0 4
 access-class 10 in
line vty 5 15
 access-class 10 in
!
!
make sure the access-list 10 contain all your internal subnets and mask correctly or you'll lock yourself out.
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Author

Commented:
Thanks guys!  JFrederick29 was first so I gave more points to the first answer, however, ciscoml320 provided some clarification so I am splitting them up.
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Author

Commented:
Quick follow up question.  Can I just get rid of vty 5 15 since there will never be more than 1 session at a time?  Or are some of the VTYs bound to different interfaces?
Top Expert 2009

Commented:
You can sure.  Simply remove the login option from it:

line vty 5 15
no login
also add this to prevent you from being locked out due to idle sessions

!
line vty 0 4
 exec-timeout 60 0
!
put this in perspective - i've been locked out of remote devices before which didn't have this configured (now all 400+ devices have it)...and i was able to clear them by using SNMP writes, a bit tedious....so save yourself some grief.
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Author

Commented:
good call ciscoml320...thanks!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.