Using an Alternate Telnet Port in Cisco IOS

I have occasionally been asked how to change the telnet port in Cisco IOS. One would expect a simple command like “ip telnet listening-port <x>”. However a logical command like that doesn’t seem to exist. Since a command to change the port directly doesn’t exist, we have to dig a little deeper. In this article, we will look at using the rotary command to present telnet on an alternate port. This will not restrict the connection on the standard port 23, but we will look at other ways restrict connections to port 23.

To get started, let’s talk about a few basics of the “rotary” command. This command is entered in line configuration mode and has a parameter. The parameter is simply a number. Once the command is entered, the router listens for telnet connections on an additional TCP port. The router determines which port to open by adding 3000 to the number entered after the “rotary” command.

To demonstrate this, I have configured R1 as a telnet server. We will use R2 as a telnet client for testing.

//Configure Telnet Password 
//and Enable port 3001 on R1

R1(config)#line vty 0 15
R1(config-line)#password cisco
R1(config-line)#rotary ?
    Rotary group to add line to
R1(config-line)#rotary 1
R1(config-line)#exit

Next we can test our configuration by using the telnet client on R2.

//Telnet to port 3001
R2#telnet 192.168.1.1 3001
Trying 192.168.1.1, 3001 ... Open

User Access Verification

Password:
R1>exit

[Connection to 192.168.1.1 closed by foreign host]

//Telnet to standard port (23)
R2#telnet 192.168.1.1    
Trying 192.168.1.1 ... Open

User Access Verification

Password:
R1>exit

As we can see, port 3001 was successfully enabled. However, connections can still be made to the standard port. If there is also the need to disallow access to port 23, we have a few options. We could block the session with a transit acl or NAT it to something non-existent. I will demonstrate two other methods that I find to be more elegant.

Option One – Control Plane Protection (CPPr)

R1 – CPPr Configuration

R1(config)#class-map type port-filter match-any TCP23
R1(config-cmap)# match  port tcp 23
R1(config-cmap)#policy-map type port-filter FILTERTCP23
R1(config-pmap)# class TCP23
R1(config-pmap-c)#   drop
R1(config-pmap-c)#   log
R1(config-pmap-c)#control-plane host
R1(config-cp-host)# service-policy type port-filter input FILTERTCP23
R1(config-cp-host)#e
Jul  7 05:15:09.459: %CP-5-FEATURE: TCP/UDP Portfilter feature enabled on Control plane host path

//rotary command - configured above
R1(config)#line vty 0 15
R1(config-line)#rotary 1

R2 – Testing with CPPr Blocking Port 23 on R1

//test telnet to standard port 23
R2#telnet 192.168.1.1    
Trying 192.168.1.1 ...
% Connection timed out; remote host not responding

//test telnet to port 3001
R2#

R2#telnet 192.168.1.1 3001
Trying 192.168.1.1, 3001 ... Open

User Access Verification

Password:
R1>exit

That obviously worked, but I wanted to show the logs generated by R1 when the attempt was made on port 23. This is based on the “log” configuration in our CPPr configuration.

R1 – Logged Messages

//while R2 was attempting telnet to port 23
R1(config)#
Jul  7 05:15:55.751: %CP-6-TCP: DROP TCP/UDP Portfilter  192.168.1.2(16293) -> 192.168.1.1(23)
R1(config)#
Jul  7 05:15:57.751: %CP-6-TCP: DROP TCP/UDP Portfilter  192.168.1.2(16293) -> 192.168.1.1(23)
R1(config)#
Jul  7 05:16:01.755: %CP-6-TCP: DROP TCP/UDP Portfilter  192.168.1.2(16293) -> 192.168.1.1(23)
R1(config)#
Jul  7 05:16:09.759: %CP-6-TCP: DROP TCP/UDP Portfilter  192.168.1.2(16293) -> 192.168.1.1(23)
R1(config)#

CPPr, demonstrated above, is one option for blocking access to port 23 on our IOS Router. We could also use the access-class with an extended acl. After removing the CPPr configuration, the extended acl/access-class method would produce similar result. I say similar because the R1 will actually provide feedback with this option. This could adversely affect the CPU if this were a malicious DoS attempt. Therefore from a CPU protection standpoint, CPPr would be the preferred approach.

To configure an access-class to block access to port 23 and allow access to port 3001, we need to use an extended acl. Then we can attach it to the access-class for the VTY as we would expect.

R1 – Extended ACL/access-class Configuration

R1(config)#access-list 101 permit tcp any any eq 3001
R1(config)#line vty 0 15
R1(config-line)#rotary 1
R1(config-line)#access-class 101 in

R2 – Testing Telnet with Extended ACL Method of Blocking

//testing to standard telnet port (23)
R2#telnet 192.168.1.1    
Trying 192.168.1.1 ...
% Connection refused by remote host

R2#

//testing telnet to port 3001
R2#telnet 192.168.1.1 3001
Trying 192.168.1.1, 3001 ... Open

User Access Verification

Password:
R1>exit

[Connection to 192.168.1.1 closed by foreign host]

As demonstrated in this article, sometimes IOS isn’t as user friendly as we would like. However, there are a lot of knobs we can turn and that results in a lot of configuration options. Those configuration options usually allow us to achieve the configuration we require.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

11 Responses to Using an Alternate Telnet Port in Cisco IOS

  1. Elvin Arias says:

    Thanks for the article.

    Elvin

  2. Will says:

    Thanks! New to me. I guess you need to make sure no reverse telnet is configured.

  3. David says:

    Thanks ….

    I was wondering how I could make a change to a port , in this case port 23 telnet..

    What about another port like 80, 53 or something like tat…

  4. Pingback: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning | Network Security Memo

  5. Pingback: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning | Network Security Memo

  6. Pingback: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning | Network Security Memo

  7. rizwan says:

    thanks for article

  8. Eder says:

    Excelent article.

  9. Pingback: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning – Network Security Memo

Comments are closed.