access list question
jbkm
Member Posts: 55 ■■□□□□□□□□
in CCNA & CCENT
I just missed a question on my practice test and was wondering if there were multiple ways of answering it or if i was just plain WRONG!
here is the question
i am to allow Telnet onto a router (10.1.1.2) but deny all other IP traffic from pc 172.16.1.2 the answer was given to me as
access-list 152 permit tcp host 172.16.1.2 any eq telnet
access-list 152 deny ip host 172.16.1.2 any
access-list 152 permit ip any any
i input the following and was wondering if it would work when applied to the serial interface going into the router. (s 0/0 in this case!) the simulator marked it as wrong but i don't know if it is programmed to only accept their way or no way (problem w/ sims?!)
access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet
access-list 152 deny ip host 172.16.1.2 host 10.1.1.2
access-list 152 permit ip any any
Pretty much im wondering if you are tryin to stop telnet access on a router with ip 10.1.1.2 could you use that ip as the destination ip in an access list. This is the ip for the interface it would be using to gain access to the router and the access list would be used prior to routing the packet anyway....
whatcha think/know?!
Thanks guys
John
here is the question
i am to allow Telnet onto a router (10.1.1.2) but deny all other IP traffic from pc 172.16.1.2 the answer was given to me as
access-list 152 permit tcp host 172.16.1.2 any eq telnet
access-list 152 deny ip host 172.16.1.2 any
access-list 152 permit ip any any
i input the following and was wondering if it would work when applied to the serial interface going into the router. (s 0/0 in this case!) the simulator marked it as wrong but i don't know if it is programmed to only accept their way or no way (problem w/ sims?!)
access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet
access-list 152 deny ip host 172.16.1.2 host 10.1.1.2
access-list 152 permit ip any any
Pretty much im wondering if you are tryin to stop telnet access on a router with ip 10.1.1.2 could you use that ip as the destination ip in an access list. This is the ip for the interface it would be using to gain access to the router and the access list would be used prior to routing the packet anyway....
whatcha think/know?!
Thanks guys
John
Comments
would allow it and since theres nothing else in the ACL... you get the emplicit deny.
Buy your suggestion of :
is nicer and more secure
see i essentially want to allow only telnet from taht one PC and not bother access from any other.
hope that isn't confusing!
www.maftei.net
Say i have this
PC
S0/0 router E 0/1
I could still go threw the s0 to the e1 on the same router?
I don't think that is how you should secure telnet access to your router. Not so funny things happen. Here's a quick config Anyone care to explain that?
I think if you use the access-class statement with a standard ACL in the configuration you'll achieve what you are trying and is the cisco approved method.
Lets start over... your case stated:
with the following config you will achieve that:
why? any host with source 172.16.1.2 using telnet will match the first line of the acl... Then, any other traffic from the same IP will match the second one, which is denied. Finally, any traffic from any other IP will match the last line of the ACL and it will be allowed to pass. The last line is to avoid the implicit (it was implicit, not explicit as my previous post) deny.
Still you could use the access-class statement.
If you place it into access-group 152 IN on the S0 interface it won't. When an ACL is configure for inbound, the ACL filters traffic before it gets to the routing decision. If you place the ACL in the outbound of the interface, the ACL filters traffic after the routing decision.