Solved

I need to disable Telnet on Cisco Routers.

Posted on 2011-02-28
5
1,614 Views
Last Modified: 2012-05-11
Greetings,
I am in need of disabling the default Telnet access to a few Cisco devices.
An 1841, a few 2600's and a small ASA 5505.
On a few of these devices, I can only get to them via Telnet currently.
On several others, SSH and Telnet are working.
I need the command lines to disable Telnet and enable SSH (in reverse order :))
I also have CIsco SDM loaded but can't fine anything for passwords or access into the devices, almost worthless from what I can see other than monitoring.

Please advise.
0
Comment
Question by:icarus2256
  • 2
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 125 total points
ID: 34999071
First make sure that you can reach each device with ssh. The following needs to be done:


ip domain-name anything.com
crypto key gen rsa mod 1024
aaa new-model
aaa authen login default none
aaa authen login VTY local
username cisco password cisco (or whatever you want)
line vty 0 15
 login authen local
!

When ssh works, disable telnet by adding this command:

line vty 0 15
 transport input ssh
!

Best regards
Kvistofta

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35001161
Hi,

On the ASA you need:
aaa authentication ssh console LOCAL  
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x x.x.x.x outside
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35001174
and you need "crypto key generate" also
0
 
LVL 17

Expert Comment

by:MAG03
ID: 35006577
just to add to the above and to be on the safe side i would add the following

line vty 0 15
 transport input none
 transport input ssh

the none command will disable everything, and then enable ssh.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35008356
MAG03: There is no "safe side". That command is explicit. By adding "transport input ssh", the only allowed inbound protocol IS ssh, no matter of earlier configuration. As a matter of fact, adding "transport input none" is not only useless in this case, it might also kill the current session and lock out anyone from the vty-lines just moment before adding the second line.


ikalmar: crypto key gen was in my original answer above.

/Kvistofta
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now