access list question
jbkm
Member Posts: 55 ■■□□□□□□□□
in CCNA & CCENT
I just missed a question on my practice test and was wondering if there were multiple ways of answering it or if i was just plain WRONG!
here is the question
i am to allow Telnet onto a router (10.1.1.2) but deny all other IP traffic from pc 172.16.1.2 the answer was given to me as
access-list 152 permit tcp host 172.16.1.2 any eq telnet
access-list 152 deny ip host 172.16.1.2 any
access-list 152 permit ip any any
i input the following and was wondering if it would work when applied to the serial interface going into the router. (s 0/0 in this case!) the simulator marked it as wrong but i don't know if it is programmed to only accept their way or no way (problem w/ sims?!)
access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet
access-list 152 deny ip host 172.16.1.2 host 10.1.1.2
access-list 152 permit ip any any
Pretty much im wondering if you are tryin to stop telnet access on a router with ip 10.1.1.2 could you use that ip as the destination ip in an access list. This is the ip for the interface it would be using to gain access to the router and the access list would be used prior to routing the packet anyway....
whatcha think/know?!
Thanks guys
John
here is the question
i am to allow Telnet onto a router (10.1.1.2) but deny all other IP traffic from pc 172.16.1.2 the answer was given to me as
access-list 152 permit tcp host 172.16.1.2 any eq telnet
access-list 152 deny ip host 172.16.1.2 any
access-list 152 permit ip any any
i input the following and was wondering if it would work when applied to the serial interface going into the router. (s 0/0 in this case!) the simulator marked it as wrong but i don't know if it is programmed to only accept their way or no way (problem w/ sims?!)
access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet
access-list 152 deny ip host 172.16.1.2 host 10.1.1.2
access-list 152 permit ip any any
Pretty much im wondering if you are tryin to stop telnet access on a router with ip 10.1.1.2 could you use that ip as the destination ip in an access list. This is the ip for the interface it would be using to gain access to the router and the access list would be used prior to routing the packet anyway....
whatcha think/know?!
Thanks guys
John
Comments
-
agustinchernitsky
Member Posts: 299
Well, if telnet comes from 172.16.1.2:
access-list 152 permit tcp host 172.16.1.2 any eq telnet
would allow it and since theres nothing else in the ACL... you get the emplicit deny.
Buy your suggestion of :access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet
is nicer and more secure
-
jbkm
Member Posts: 55 ■■□□□□□□□□
but that explicet deny would block ALL packets regardless of their source right?
see i essentially want to allow only telnet from taht one PC and not bother access from any other.
hope that isn't confusing! -
dmaftei
Member Posts: 83 ■■□□□□□□□□
This would only deny traffic from the PC to the router; traffic from the PC to any other IP address would be allowed.jbkm wrote:access-list 152 deny ip host 172.16.1.2 host 10.1.1.2BSEE, MSCS
www.maftei.net -
jbkm
Member Posts: 55 ■■□□□□□□□□
so even tho its on the only interface "into" the network it would still pass the traffic to another interface?
Say i have this
PC
S0/0 router E 0/1
I could still go threw the s0 to the e1 on the same router? -
david_r
Member Posts: 112
jbkm,
I don't think that is how you should secure telnet access to your router. Not so funny things happen. Here's a quick configRouter# interface Serial1 ip address 192.168.3.2 255.255.255.0 ip access-group 152 in ! access-list 152 permit tcp host 192.168.3.1 host 192.168.3.2 eq telnet access-list 152 permit ip any any Router#
Texas3# interface Serial1 ip address 192.168.3.1 255.255.255.0 clockrate 4000000 Texas3#telnet 192.168.3.2 Trying 192.168.3.2 ... % Connection refused by remote host Texas3#
Anyone care to explain that?
I think if you use the access-class statement with a standard ACL in the configuration you'll achieve what you are trying and is the cisco approved method.access-list 10 permit 192.168.3.1 line vty 0 4 access-class 10 in password ######## login Router#telnet 192.168.3.2 Trying 192.168.3.2 ... % Connection refused by remote host Texas3>telnet 192.168.3.2 Trying 192.168.3.2 ... Open User Access Verification Password:
-
agustinchernitsky
Member Posts: 299
jbkm wrote:but that explicet deny would block ALL packets regardless of their source right?
see i essentially want to allow only telnet from taht one PC and not bother access from any other.
hope that isn't confusing!
Lets start over... your case stated:I am to allow Telnet onto a router (10.1.1.2) but deny all other IP traffic from pc 172.16.1.2
with the following config you will achieve that:access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet access-list 152 deny tcp host 172.16.1.2 any access-list 152 permit any any
why? any host with source 172.16.1.2 using telnet will match the first line of the acl... Then, any other traffic from the same IP will match the second one, which is denied. Finally, any traffic from any other IP will match the last line of the ACL and it will be allowed to pass. The last line is to avoid the implicit (it was implicit, not explicit as my previous post) deny.
Still you could use the access-class statement. -
agustinchernitsky
Member Posts: 299
jbkm wrote:so even tho its on the only interface "into" the network it would still pass the traffic to another interface?
Say i have this
PC
S0/0 router E 0/1
I could still go threw the s0 to the e1 on the same router?
If you place it into access-group 152 IN on the S0 interface it won't. When an ACL is configure for inbound, the ACL filters traffic before it gets to the routing decision. If you place the ACL in the outbound of the interface, the ACL filters traffic after the routing decision.
