access list question

I just missed a question on my practice test and was wondering if there were multiple ways of answering it or if i was just plain WRONG!

here is the question

i am to allow Telnet onto a router (10.1.1.2) but deny all other IP traffic from pc 172.16.1.2 the answer was given to me as

access-list 152 permit tcp host 172.16.1.2 any eq telnet
access-list 152 deny ip host 172.16.1.2 any
access-list 152 permit ip any any

i input the following and was wondering if it would work when applied to the serial interface going into the router. (s 0/0 in this case!) the simulator marked it as wrong but i don't know if it is programmed to only accept their way or no way (problem w/ sims?!)

access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet
access-list 152 deny ip host 172.16.1.2 host 10.1.1.2
access-list 152 permit ip any any

Pretty much im wondering if you are tryin to stop telnet access on a router with ip 10.1.1.2 could you use that ip as the destination ip in an access list. This is the ip for the interface it would be using to gain access to the router and the access list would be used prior to routing the packet anyway....

whatcha think/know?!

Thanks guys

John

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

agustinchernitsky

Well, if telnet comes from 172.16.1.2:

access-list 152 permit tcp host 172.16.1.2 any eq telnet

would allow it and since theres nothing else in the ACL... you get the emplicit deny.

Buy your suggestion of :

access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet

is nicer and more secure

jbkm

but that explicet deny would block ALL packets regardless of their source right?

see i essentially want to allow only telnet from taht one PC and not bother access from any other.

hope that isn't confusing!

dmaftei

jbkm wrote:

access-list 152 deny ip host 172.16.1.2 host 10.1.1.2

This would only deny traffic from the PC to the router; traffic from the PC to any other IP address would be allowed.

jbkm

so even tho its on the only interface "into" the network it would still pass the traffic to another interface?

Say i have this

PC

S0/0 router E 0/1

I could still go threw the s0 to the e1 on the same router?

david_r

jbkm,
I don't think that is how you should secure telnet access to your router. Not so funny things happen. Here's a quick config

Router#
interface Serial1
 ip address 192.168.3.2 255.255.255.0
 ip access-group 152 in
!
access-list 152 permit tcp host 192.168.3.1 host 192.168.3.2 eq telnet
access-list 152 permit ip any any
Router#

Texas3#
interface Serial1
 ip address 192.168.3.1 255.255.255.0
 clockrate 4000000

Texas3#telnet 192.168.3.2
Trying 192.168.3.2 ...
% Connection refused by remote host

Texas3#

Anyone care to explain that?

I think if you use the access-class statement with a standard ACL in the configuration you'll achieve what you are trying and is the cisco approved method.

access-list 10 permit 192.168.3.1
line vty 0 4
 access-class 10 in
 password ########
 login

Router#telnet 192.168.3.2
Trying 192.168.3.2 ...
% Connection refused by remote host

Texas3>telnet 192.168.3.2
Trying 192.168.3.2 ... Open


User Access Verification

Password:

agustinchernitsky

jbkm wrote:

but that explicet deny would block ALL packets regardless of their source right?

see i essentially want to allow only telnet from taht one PC and not bother access from any other.

hope that isn't confusing!

Lets start over... your case stated:

I am to allow Telnet onto a router (10.1.1.2) but deny all other IP traffic from pc 172.16.1.2

with the following config you will achieve that:

access-list 152 permit tcp host 172.16.1.2 host 10.1.1.2 eq telnet
access-list 152 deny tcp host 172.16.1.2 any
access-list 152 permit any any

why? any host with source 172.16.1.2 using telnet will match the first line of the acl... Then, any other traffic from the same IP will match the second one, which is denied. Finally, any traffic from any other IP will match the last line of the ACL and it will be allowed to pass. The last line is to avoid the implicit (it was implicit, not explicit as my previous post) deny.

Still you could use the access-class statement.

agustinchernitsky

jbkm wrote:

so even tho its on the only interface "into" the network it would still pass the traffic to another interface?

Say i have this

PC
S0/0 router E 0/1

I could still go threw the s0 to the e1 on the same router?

If you place it into access-group 152 IN on the S0 interface it won't. When an ACL is configure for inbound, the ACL filters traffic before it gets to the routing decision. If you place the ACL in the outbound of the interface, the ACL filters traffic after the routing decision.