Configure Router to Accept Telnet on a Non-standard Port


Connecting to network devices via telnet and SSH is typically done with the standard TCP ports of 23 and 22 respectively. There are however instances where you may want to connect to the devices on ports other than these defaults. The reasons include, but not limited to, the following:
·         You want to hide the telnet connection port to your routers and switches from outsiders
·         You may want to apply separate authentication criteria or methods for authenticating your telnet users
·         Your service provider is filtering ports 22 and 23 in their Internet connections
Setting up your router to accept line connections on a port other than default suffices in this case.
Difficulty Level
Supported Platforms
·         The configurations in this tutorial were performed on a Cisco 7200 series router, running Advanced Enterprise Services image, version 12.4(15)T1
·         However, the concept can be applied to all Cisco Integrated Services Routers and Catalyst switch devices running a recent software image.
Your corporate information security policy states that users who connect to your network devices through the Internet must not use the standard SSH or Telnet ports. Nonetheless, administrators may connect to the devices on the standard ports from within the enterprise network.

To implement the policy, your team has concluded that management access to the Internet router should be done at TCP port 3022. Internal users may still use the default ports 22 and 23 for SSH and Telnet respectively.

They are aware of the advantages you enjoy as a member of, and have therefore assigned you for the implementation.

Let's take note of the following:
·         The non-standard port can be 3000 + xxx or 7000 + xxx (where xxx is a value between 1 and 127 inclusive)
·         A user would therefore have to telnet or SSH to port 3xxx or 7xxx of the router to gain access
·         The 'Rotary' command is used to specify the value of xxx, in line configuration mode
·         Use the 'line vty' command to specify the terminal line(s) concerned and apply appropriate commands.
R1#configure terminal
Enter line configuration sub-mode. Use the first 10 lines (0-9) for standard telnet/ssh access
R1(config)#line vty 0 9
R1(config-line)#password password09
R1(config-line)#transport input ssh telnet
Let's use the next 6 terminal lines (10-15) for non-standard telnet/ssh access
R1(config-line)#line vty 10 15
R1(config-line)#password password1015
R1(config-line)#rotary 22
R1(config-line)#transport input ssh telnet

The number of available terminal lines depend on the Cisco platform.

There could be just 5 lines (0-4), 16 lines (0-15) or as many as 989 - on a Cisco 2821 router. Guess what, they are 1,870 on my Cisco 7206 router.

The best way of verifying this configuration is to test it. Use telnet or SSH to connect on the appropriate port (23 and 3022/7022)
Concluding Notes
·         When you issue the 'rotary xxx' command in line configuration mode (where xx is a value between 1 and 127), you may telnet/SSH to the router or switch on ports 3xxx or 7xxx.
·         If you have access-lists configured on the outside interface of your router, remember to modify it to allow incoming TCP connections on port 3xxx and/or 7xxx.
·         It's worth stating that using telnet on a non-stardard port would not make it any more secure. Security is a function of the application and not the port. SSH is what we recommend for managing your network devices, especially if connecting through the Internet.
·         Also, if you change the standard telnet/SSH ports from their standard values, a determined attacker could still use a port scan tool to identify which ports are open
on your devices (including the new 3xxx or 7xxx ports).
I hope you found the above information useful.



Hi Netdaddy,

I enjoyed this one. keeping them coming.