?
Solved

Cisco 1720 - Disable Telnet on Serial Interface

Posted on 2009-02-09
7
Medium Priority
?
2,408 Views
Last Modified: 2013-11-16
I'm not a Cisco newb but I'm no expert either.

I'm running a Cisco 1720 (IOS 12.2(40) no PIX, no 3DES support) rouer with 1 WIC-DSU-CSU card to service a T1.  It's fully configured and working like a champ except for 1 security issue I need to resolve.

I need to be able to telnet to the device via FastEthernet0 (from my LAN only).  I also need to be able to still dial-in to the AUX port (setup and working now).  And lastly I obviously still need Console Access.

What I do not want is for anyone to connect via Telnet via the Serial (WAN) interface.  In otherwords I need to connect to FastEthenet0 IP only and the source packet must be coming from my LAN, not the internet.

If this is not possilbe then please let me know and I will just disable line vty 0 4 all together.  Copy of my sho run below with some stuff left out for obvious reasons.
Current configuration : 987 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname AFV
!
enable secret 5 $1$YxiB$7l8AlVjPeJlovFyCHAXUW.
!
memory-size iomem 25
ip subnet-zero
ip domain-name somedomain.com
!
!
!
!
interface FastEthernet0
 description TWTWAN
 ip address 0.0.0.0 255.255.255.252
 speed auto
 full-duplex
!
interface Serial0
 description TWT WAN
 ip address 0.0.0.0 255.255.255.252
 encapsulation ppp
 no fair-queue
 service-module t1 timeslots 1-24
!
ip default-gateway 192.168.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.195.233.9
no ip http server
!
!
line con 0
 password 7 132511042B00080A28277B7771
 logging synchronous
 login
line aux 0
 password 7 0226024D2B0A03014F4D5A5D41
 login
 modem InOut
transport input all
 speed 115200
 flowcontrol hardware
line vty 0 4
 password 7 0226024D2B0A03014F4D5A5D41
 login
line vty 5 15
 password 7 15320D1A242627042B30666657
 login
!
end

Open in new window

0
Comment
Question by:mcsween
  • 3
  • 2
  • 2
7 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1200 total points
ID: 23591938
Add an access-list to the VTY lines:

conf t
access-list 10 permit x.x.x.0 0.0.0.255   <--your LAN

line vty 0 15
access-class 10 in
0
 
LVL 2

Assisted Solution

by:ciscoml320
ciscoml320 earned 800 total points
ID: 23591982
You need to configure the following


access-list 10 permit ip.ip.ip.ip  mask.mask.mask.mask
!where ip.ip.ip.ip = your internal network
line vty 0 4
 access-class 10 in
line vty 5 15
 access-class 10 in
!
!
make sure the access-list 10 contain all your internal subnets and mask correctly or you'll lock yourself out.
0
 
LVL 22

Author Closing Comment

by:mcsween
ID: 31544602
Thanks guys!  JFrederick29 was first so I gave more points to the first answer, however, ciscoml320 provided some clarification so I am splitting them up.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 22

Author Comment

by:mcsween
ID: 23592343
Quick follow up question.  Can I just get rid of vty 5 15 since there will never be more than 1 session at a time?  Or are some of the VTYs bound to different interfaces?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23592406
You can sure.  Simply remove the login option from it:

line vty 5 15
no login
0
 
LVL 2

Expert Comment

by:ciscoml320
ID: 23592465
also add this to prevent you from being locked out due to idle sessions

!
line vty 0 4
 exec-timeout 60 0
!
put this in perspective - i've been locked out of remote devices before which didn't have this configured (now all 400+ devices have it)...and i was able to clear them by using SNMP writes, a bit tedious....so save yourself some grief.
0
 
LVL 22

Author Comment

by:mcsween
ID: 23592525
good call ciscoml320...thanks!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question