Solved

I need to disable Telnet on Cisco Routers.

Posted on 2011-02-28
5
1,623 Views
Last Modified: 2012-05-11
Greetings,
I am in need of disabling the default Telnet access to a few Cisco devices.
An 1841, a few 2600's and a small ASA 5505.
On a few of these devices, I can only get to them via Telnet currently.
On several others, SSH and Telnet are working.
I need the command lines to disable Telnet and enable SSH (in reverse order :))
I also have CIsco SDM loaded but can't fine anything for passwords or access into the devices, almost worthless from what I can see other than monitoring.

Please advise.
0
Comment
Question by:icarus2256
  • 2
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 125 total points
ID: 34999071
First make sure that you can reach each device with ssh. The following needs to be done:


ip domain-name anything.com
crypto key gen rsa mod 1024
aaa new-model
aaa authen login default none
aaa authen login VTY local
username cisco password cisco (or whatever you want)
line vty 0 15
 login authen local
!

When ssh works, disable telnet by adding this command:

line vty 0 15
 transport input ssh
!

Best regards
Kvistofta

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35001161
Hi,

On the ASA you need:
aaa authentication ssh console LOCAL  
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x x.x.x.x outside
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35001174
and you need "crypto key generate" also
0
 
LVL 17

Expert Comment

by:MAG03
ID: 35006577
just to add to the above and to be on the safe side i would add the following

line vty 0 15
 transport input none
 transport input ssh

the none command will disable everything, and then enable ssh.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35008356
MAG03: There is no "safe side". That command is explicit. By adding "transport input ssh", the only allowed inbound protocol IS ssh, no matter of earlier configuration. As a matter of fact, adding "transport input none" is not only useless in this case, it might also kill the current session and lock out anyone from the vty-lines just moment before adding the second line.


ikalmar: crypto key gen was in my original answer above.

/Kvistofta
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question