blocking telnet and http-server access to a port

Author	All Replies
austinsevo1985 @rr.com	blocking telnet and http-server access to a port im trying to block outside access for people trying to telnet or http access into my router.. as of right now if they typed in my IP it would bring them to my router prompt asking for username and password.
	to forum · permalink · 2009-01-31 23:04:24 ·
austinsevo1985 @rr.com	oops i meant interface.. not port.
	to forum · permalink · 2009-01-31 23:05:04 ·
aryoba Premium,MVM join:2002-08-22 kudos:3	Simply put ACL under the line vty that only allow your IP subnet and deny others.
	to forum · permalink · 2009-02-01 06:56:06 ·
Austinsevo1985 @rr.com	okay and what about http access to the router?
	to forum · permalink · 2009-02-01 14:29:56 ·
dean corso join:2007-09-07	access-list 100 deny tcp OUTSIDE_ADDR ROUTER eq 80 access-list 100 permit ip any any where: OUTSIDE_ADDR is anything but your LAN and ROUTER is the router interface. Use wildcard masks to designate more than one interface.
	to forum · permalink · 2009-02-01 14:37:53 ·

battleop join:2005-09-28 00000	reply to austinsevo1985 Here is a sample from one of my routers. I secure http by using no ip http server. access-list 50 permit 76.x.x.250 access-list 50 permit 66.x.x.1 access-list 50 permit 208.x.x.3 access-list 50 deny any line vty 0 4 access-class 50 in
	to forum · permalink · 2009-02-01 19:20:11 ·
aryoba Premium,MVM join:2002-08-22 kudos:3	Restrict HTTP or HTTPS access is similar as telnet access which is using the ip http access-class command.
	to forum · permalink · 2009-02-01 20:16:55 ·
Austinsevo1985 @rr.com	reply to dean corso the OUTSIDE_ADDR does not appear to work. How am i suppose to specify any outside address.. im running a 192.168.100.X LAN.
	to forum · permalink · 2009-02-02 10:12:25 ·
Caradoc @murphx.net	reply to austinsevo1985 Battleop has the right answer for you, expanding that for you and your network: access-list 101 permit ip 192.168.100.0 0.0.0.255 any eq 23 access-list 101 permit ip 192.168.100.0 0.0.0.255 any eq 80 access-list 101 deny ip any any then apply that to the telnet interface: line vty 0 4 access-class 101 in Breaking that down: 101 acl is an extended - think you can go up to 199 from memory 192.168.100.0 0.0.0.255 your address range - that's why were using an extended acl any - that's what you are telneting, you could nail this down to a loopback eq 23 and eq 80 23 telnet 80 http, personally I'd only use telnet. I'd also do a reload in 5 before applying it to the vty line incase of error - so the device will reboot if you can't access it. Saves setting up a console connection or a remote access visit. Once it's working reload cancel
	to forum · permalink · 2009-02-03 05:49:37 ·
aryoba Premium,MVM join:2002-08-22 kudos:3 4 edits	said by Caradoc : battleop has the right answer for you, expanding that for you and your network: access-list 101 permit ip 192.168.100.0 0.0.0.255 any eq 23 access-list 101 permit ip 192.168.100.0 0.0.0.255 any eq 80 access-list 101 deny ip any any then apply that to the telnet interface: line vty 0 4 access-class 101 in Although it was a right idea, I don't think the commands would work. The line vty interface would only receive legacy protocols such as LAT, MOP, TELNET, and SSH. Web management access such as HTTP or HTTPS is controlled by different command which is the ip http access-class command like I posted earlier. Something like the following should be sufficient access-list 50 permit 192.168.100.0 0.0.0.255 ! ip http server ip http secure-server ip http access-class 50 ! line vty 0 4 access-class 50 in transport input ssh ====> OPTIONAL, but highly suggested for added security said by Caradoc : personally I'd only use telnet. I would personally only use SSH since there is some encryption in place for added security instead of telnet with no encryption at all.
	to forum · permalink · 2009-02-03 09:34:20 ·

Equipment Support > Hardware By Brand > Cisco > blocking telnet and http-server access to a port