6.1 and 6.2 Solutions?


After doing this task badly I finally got a solution that I thought works based upon a couple of the threads here.

1 - Access-class for all VTY lines to restrict the allowed TCP port access to 23 and 3023

2 - Set the autocommand on the VTY line with port 23 access only.

The problem is if you telnet to port 23 and authenticate with NOC you will trigger the dynamic firewall exception.  Task failed!

Has anyone done the work to solve this with aaa to allow only RDP access to port 23 and if so can they post it?


Thanks in advance and here's what I had.



Rack1SW1#sh run | s line vty

line vty 0

 access-class VTY0 in

 login local

 autocommand  access-enable host

line vty 1 4

 access-class VTY14 in

 login local

 rotary 23



username NOC password 0 CISCO

username RDP password 0 CISCO


Extended IP access list VTY0

    10 permit tcp any any eq telnet

Extended IP access list VTY14

    10 permit tcp any any eq 3023






  • DennisDDennisD ✭✭

    So, are you abstaining from looking at the solutions guide for the lab? [;)]

  • Ops, have I missed something?  Does the SG fulfil the task requirements with regards to only allowing port 23 for vty 0?  Access-list 100 is applied to only vty 1 4 that permits 23 and 3023?


  • DennisDDennisD ✭✭

    Does the SG fulfil the task requirements with regards to only allowing port 23 for vty 0?

    The restriction was Telnet at port 23 should be used just for authentication of the RDP firewall exception.

    The first VTY line (VTY 0) is left with the autocommand access-enable command. All users that telnet to the router at port 23 will hit this line.  

    My only hangup would be if two users hit the router simultaneously, would not the second user go to VTY 1 which does not have the auto access enable anymore?


  • and if you hit port 23 and authenticate as NOC you then activate the access-enable host command?

Sign In or Register to comment.