Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

I need to disable Telnet on Cisco Routers.

Posted on 2011-02-28
5
Medium Priority
?
1,759 Views
Last Modified: 2012-05-11
Greetings,
I am in need of disabling the default Telnet access to a few Cisco devices.
An 1841, a few 2600's and a small ASA 5505.
On a few of these devices, I can only get to them via Telnet currently.
On several others, SSH and Telnet are working.
I need the command lines to disable Telnet and enable SSH (in reverse order :))
I also have CIsco SDM loaded but can't fine anything for passwords or access into the devices, almost worthless from what I can see other than monitoring.

Please advise.
0
Comment
Question by:icarus2256
  • 2
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
Jimmy Larsson, CISSP, CEH earned 500 total points
ID: 34999071
First make sure that you can reach each device with ssh. The following needs to be done:


ip domain-name anything.com
crypto key gen rsa mod 1024
aaa new-model
aaa authen login default none
aaa authen login VTY local
username cisco password cisco (or whatever you want)
line vty 0 15
 login authen local
!

When ssh works, disable telnet by adding this command:

line vty 0 15
 transport input ssh
!

Best regards
Kvistofta

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35001161
Hi,

On the ASA you need:
aaa authentication ssh console LOCAL  
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x x.x.x.x outside
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35001174
and you need "crypto key generate" also
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 35006577
just to add to the above and to be on the safe side i would add the following

line vty 0 15
 transport input none
 transport input ssh

the none command will disable everything, and then enable ssh.
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 35008356
MAG03: There is no "safe side". That command is explicit. By adding "transport input ssh", the only allowed inbound protocol IS ssh, no matter of earlier configuration. As a matter of fact, adding "transport input none" is not only useless in this case, it might also kill the current session and lock out anyone from the vty-lines just moment before adding the second line.


ikalmar: crypto key gen was in my original answer above.

/Kvistofta
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question