Bradley Fox
asked on
Cisco 1720 - Disable Telnet on Serial Interface
I'm not a Cisco newb but I'm no expert either.
I'm running a Cisco 1720 (IOS 12.2(40) no PIX, no 3DES support) rouer with 1 WIC-DSU-CSU card to service a T1. It's fully configured and working like a champ except for 1 security issue I need to resolve.
I need to be able to telnet to the device via FastEthernet0 (from my LAN only). I also need to be able to still dial-in to the AUX port (setup and working now). And lastly I obviously still need Console Access.
What I do not want is for anyone to connect via Telnet via the Serial (WAN) interface. In otherwords I need to connect to FastEthenet0 IP only and the source packet must be coming from my LAN, not the internet.
If this is not possilbe then please let me know and I will just disable line vty 0 4 all together. Copy of my sho run below with some stuff left out for obvious reasons.
I'm running a Cisco 1720 (IOS 12.2(40) no PIX, no 3DES support) rouer with 1 WIC-DSU-CSU card to service a T1. It's fully configured and working like a champ except for 1 security issue I need to resolve.
I need to be able to telnet to the device via FastEthernet0 (from my LAN only). I also need to be able to still dial-in to the AUX port (setup and working now). And lastly I obviously still need Console Access.
What I do not want is for anyone to connect via Telnet via the Serial (WAN) interface. In otherwords I need to connect to FastEthenet0 IP only and the source packet must be coming from my LAN, not the internet.
If this is not possilbe then please let me know and I will just disable line vty 0 4 all together. Copy of my sho run below with some stuff left out for obvious reasons.
Current configuration : 987 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname AFV
!
enable secret 5 $1$YxiB$7l8AlVjPeJlovFyCHAXUW.
!
memory-size iomem 25
ip subnet-zero
ip domain-name somedomain.com
!
!
!
!
interface FastEthernet0
description TWTWAN
ip address 0.0.0.0 255.255.255.252
speed auto
full-duplex
!
interface Serial0
description TWT WAN
ip address 0.0.0.0 255.255.255.252
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
!
ip default-gateway 192.168.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.195.233.9
no ip http server
!
!
line con 0
password 7 132511042B00080A28277B7771
logging synchronous
login
line aux 0
password 7 0226024D2B0A03014F4D5A5D41
login
modem InOut
transport input all
speed 115200
flowcontrol hardware
line vty 0 4
password 7 0226024D2B0A03014F4D5A5D41
login
line vty 5 15
password 7 15320D1A242627042B30666657
login
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Quick follow up question. Can I just get rid of vty 5 15 since there will never be more than 1 session at a time? Or are some of the VTYs bound to different interfaces?
You can sure. Simply remove the login option from it:
line vty 5 15
no login
line vty 5 15
no login
also add this to prevent you from being locked out due to idle sessions
!
line vty 0 4
exec-timeout 60 0
!
put this in perspective - i've been locked out of remote devices before which didn't have this configured (now all 400+ devices have it)...and i was able to clear them by using SNMP writes, a bit tedious....so save yourself some grief.
!
line vty 0 4
exec-timeout 60 0
!
put this in perspective - i've been locked out of remote devices before which didn't have this configured (now all 400+ devices have it)...and i was able to clear them by using SNMP writes, a bit tedious....so save yourself some grief.
ASKER
good call ciscoml320...thanks!
ASKER