Limiting Access to Telnet Sessions

In the following output, inbound access list 15 limits access to the router to users specified by the company. The lack of a permit any statement limits the access to those hosts defined in lines one and two. ACL 16 prevents any user who successfully Telnetted into the router to Telnet to another device. They can only exit out after doing their assigned tasks.

Rtr1(config)#access-list 15 permit 192.168.2.0 0.0.0.255
Rtr1(config)#access-list 15 permit 42.17.17.45
Rtr1(config)access-list 16 deny any
Rtr1(config)#line vty 0 4
Rtr1(config-line)#access-class 15 in
Rtr1(config-line)#access-class 16 out
Rtr1(config-line)#password cisco
Rtr1(config-line)#login

The important keyword here is “access-class,” which is used in place of access-group when you’re applying an ACL to a virtual interface.

The following code shows the result when another router, or a host on any other subnet/ network, tries to Telnet into Rtr1. It’s important to realize that this implementation of the access-class applies to the entire router, not only to one direction on an interface.

Rtr2>telnet 192.168.3.1           <-could have used 192.168.1.1
Trying 192.168.3.1...
% Connection refused by remote host

The following lines show the result of a permitted user (who cleared access-list 15 and supplied the password) trying to telnet onto another router. The output assumes an IP HOST table was set up with both IP addresses associated with the name Rtr2 (Rtr1(config)#ip host rtr2 192.168.3.2 192.168.2.1). Telnet attempts both interfaces, but is denied at each attempt.

Rtr1>telnet Rtr2
Trying Rtr2 (192.168.3.2)...
% Connections to that host not permitted from this terminal
Trying Rtr2 (192.168.2.1)...
% Connections to that host not permitted from this terminal
Rtr1>