Controlling Outbound Telnet Connections from the IOS CLI

Just about everyone that has ever touched a Cisco IOS router, knows that you can secure VTY access to the router, by creating an access-list and applying it to all VTY lines with the command access-class in command. This would leave one to think that the command access-class out would prevent a user from connecting to another router with telnet, and it does, but only for users that are trying to telnet outbound from a telnet connection inbound to the router. The access-class out command has no effect on console connections.

We can test this by applying an access-list that denies everything outbound to all VTY, as previous mentioned.

R1(config)#access-list 10 deny any any
R1(config)#line vty 0 4
R1(config-line)#access-class out 10
R1(config-line)#end
R1#

Now, let’s try to telnet to another host, when using a console connection

R1#telnet 10.10.10.2
Trying 10.10.10.2 … Open


User Access Verification

Password:
R2>

As the above test has shown we can telnet out, even though we have an access-list denying all traffic outbound on all VTYs. Next, I will telnet in from my workstation, and then try to telnet out to the same router in my lab.

R1#telnet 10.10.10.2
% Connections to that host not permitted from this terminal
R1#

The above telnet connection failed, because of the access-list, and it’s only doing this because we are telnet in to the router and not on a console cable. The other solution is to disable outbound telnet all together, by removing telnet as a valid output transport protocol for the router VTYs.

R1(config)#line vty 0 4
R1(config-line)#no transport output telnet
Aug 22nd, 2011 • Posted in IOS, Management Plane Protection
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>