10.2 Securing Router Access
10.2.1 Using access lists to secure virtual terminal access
Although you may focus on using the Cisco IOS to secure network resources, you should not forget that the router itself is a vital resource that must also be protected. An obvious vulnerability is a router's virtual terminals, which should rarely, if ever, be open to public Internet connections.

Although an extended access list can be used to block the Telnet port (TCP 23), such a list would be IP-specific and may have to be configured for every IP interface on the router. A more efficient and precise approach is to apply a standard access list to the virtual terminal lines themselves. The figure illustrates these virtual terminal (VTY) lines, which are numbered 0 to 4.

You can apply an access list directly to one of the five VTYs, but because you can not always predict which VTY a user will connect to, you should apply the same access list to all five lines, as shown:

RTA(config)#access-list 5 permit 200.100.50.0 0.0.0.255
RTA(config)#access-list 5 permit host 192.168.1.1
RTA(config)#line vty 0 4
RTA(config-line)#access-class 5 in

In this example, access list 5 defines which hosts will be allowed to connect to the virtual terminals. The line vty 0 4 command specifies all five VTYs. Finally, the access-class command -- not ip access-group -- is used to apply the list to the VTYs. Note that the in keyword is almost always used with this command. The out keyword would actually restrict the router's capability to Telnet to outside destinations.