From: Kal Han (calikali2006@gmail.com)
Date: Wed Nov 08 2006 - 22:30:40 ART
Hi John
You got the exact point of the question.
Thats the point I didnt know.
But from my testing, I found that the rotary command
will NOT disable telnet on port 23. ( I thought the reverse is true
but its not ) so with only one vty session allowed
( line vty 0 > password cisco > login > rotary 3
line vty 1 4 > login )
I can telnet to the router using port 23 and also 3003.
I guess their question is not that complicated based on their
answer. But if it is, like some of our friends suggested a good answer,
its good to use NBAR or similar approaches.
Thanks
Kal
On 11/8/06, John Meggers <jmeggers@adelphia.net> wrote:
>
> So the question is whether using the rotary command adds another
> Telnet port (and port 23 still works also), or whether it changes the
> port on which Telnet will respond from port 23 to port 3003. I
> honestly don't know the answer to that, but I will play with it. I
> think clearly the "transport input xxx" command will disable Telnet
> altogether, which is not what they're looking for. IPExpert has a
> similar requirement in one of their labs and the solution is only the
> rotary group.
>
> John Meggers
>
> On Nov 7, 2006, at 7:26 PM, secondie wrote:
>
> > Thanks all for the response. Exact wording from from the book.
> >
> > Change the telnet server to 3003. It should not answer to telnet
> > request over port 23. Do not use access-list to accomplish this task.
> >
> > I was hoping that some thing can be done to the vty port configs
> > (that obviously I do not know how to) to disable port 23 while
> > keeping 3003 alive. Trinet solution just enables 3003 and does
> > nothing to 23.
> >
> >
> >
> > -secondie
> >
> >
> >
> >
> >
> >
> > Ben Holko wrote:
> >> What seems to be a recurring theme in lab questions - think
> >> outside the
> >> square
> >>
> >> If you have typed the question below correctly, then you should
> >> use the
> >> rotary command, and then "telnet input ssh"
> >>
> >> But this will disable telnet......shock-horror, that is what the
> >> question (notably the "deny all") is asking you to do:
> >>
> >>
> >>> Enable VTY to accept telnet on port 3003 and deny all telnet
> >>> access to
> >>>
> >> VTY. ACL not allowed.
> >>
> >> It says "deny all telnet access", not "deny all telnet access on port
> >> 23"
> >>
> >> B.
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> >> Behalf Of
> >> secondie
> >> Sent: Tuesday, November 07, 2006 1:05 PM
> >> To: security@groupstudy.com; ccielab@groupstudy.com
> >> Subject: Denying telnet to port 23 on VTY
> >>
> >> Question asks for: Enable VTY to accept telnet on port 3003 and deny
> >> all telnet access to VTY. ACL not allowed.
> >>
> >> 3003 part is easy, use rotary but can port 23 be disabled on VTY
> >> line so
> >> that telnet is not accepted on the VTY line?
> >>
> >> For those that have trinet security lab workbook, (Trinet superlab-1,
> >> section 8.5, task#1)
> >>
> >>
> >> -secondie
> >>
> >> _____________________________________________________________________
> >> __
> >> Subscription information may be found at: http://
> >> www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART