Changing TELNET default port

Experts,

Is there a way to make the router only listen to a port other than the default 23 port.  I tried two things so far:

1- I issued the command "rotary 1" under line vty 0 4.  This command allowed telnets to my router on BOTH port #23 and port#3001.  However, I'm trying to deny access on port#23.

2- I also tried manipulating the port-map on the router.  On my router with IP address of 10.1.1.2, I issued the command "ip port-map telnet port 2323 list 1" .  list 1 refers to "access-list 1 permit 10.1.1.1", where (10.1.1.1) is my router that's trying to telnet to my second router (10.1.1.2) using only port 2323.  This method still didn't work, as telnets are still allowed to 10.1.1.2 on the default port of 23. In addition to this, telnet to port 2323 on 10.1.1.2 wasn't working after putting the port-map.

Please let me know if I'm missing someting......

Comments

  • Have you tried an extended acl on the vty denying port 23 from all addresses?

  • dunhamdd - Yes.  Setting up extended access-list works on the TTY line. 

    However, I wanted to know if we can maniplute port access by only modifying the port-map on the router.  I'm trying to explore what the port-map command actually does, and see if we can use it to restrict acess to Telnet and other applications by changing the port that these applications listen to...

    For example, if we want to change the telnet port to 2323 for example, then how will we do this?. 

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Port-map is unrelated to this, it's for the Firewall feature set
    (http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_3.html),
    and for NBAR for QoS.  There's no direct way to change the default port
    of 23 to something else, but what you could do is setup a static PAT
    (NAT) translation to accept a different port on the outside interface. 
    The config would look something like:



    ip nat inside source static tcp 1.1.1.1 23 interface Fa0/0 123



    1.1.1.1 would be a loopback address, and Fa0/0 is the outside interface
    you want to listen on port 123 for telnet traffic.



    HTH,





    --



    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    ccietobe2010 wrote:

    dunhamdd - Yes.  Setting up extended access-list works on the TTY
    line. 

    However, I wanted to know if we can maniplute port access by only
    modifying the port-map on the router.  I'm trying to explore what the
    port-map command actually does, and see if we can use it to restrict
    acess to Telnet and other applications by changing the port that these
    applications listen to...

    For example, if we want to change the telnet port to 2323 for
    example, then how will we do this?. 







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx



  • I thought it was too simple of an answer.

  • There is another way of approaching this, albeit not very flexible. You can make a line listen on a different port using the rotary command:-

    line vty 0 4
     rotary 65

    This will make the line listen on port 3065. You can then use interface level access lists to block access to port 23 and only access to 3065. You are restricted of course to the possible port numbers you can use as they need to be in the 3000 range!

    Here is the command ref for the rotary command: http://www.cisco.com/en/US/docs/ios/dial/command/reference/dia_p3.html#wp1014642

    Of course, if you are using ssh, this is a lot more flexible, as you can specify an ssh port for the rotary group:-

    ip ssh port 2020 rotary 65

    This will actually let you specify a specific port for ssh. Again, you would need to use interface level ACLs to block access to port 22, as the router will always listen on the native ports as well!

  • cstosgale is a nice, short and sweet ans

Sign In or Register to comment.