ACL to allow internal users to telnet to router

mzinz

I created an ACL to only permit internal traffic to telnet into the router:

ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23

I then applied it to the telnet interface:

#config t
(config)#line vty 0 4
(config-line)#ip access-class 101

Now, once this was done, no internal user could telnet in. I deleted the ACL, and created a standard one instead, and applied it:

(config)#no ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
(config)#ip access-list 10 permit 10.10.38.0 0.0.0.255
(config)#line vty 0 4
(config-line)#no ip access-class 101
(config-line)#ip access-class 10

And then, it worked. So if I understand correctly, the only difference between those was that it wasn't specifying a specific port. Knowing that telnet is 23, why didn't it work?!?!

psraj

ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
I then applied it to the telnet interface:

#config t
(config)#line vty 0 4
(config-line)#ip access-class 101

You'r command syntax is incomplete/incorrect here. What were exact comands you used for creating and applying the extended ACLs? Even the list numbers dont match.

AlanJames

you need to add TCP in your command

access-list 101 permit tcp 10.10.38.0 0.0.0.255 host 10.10.38.1 eq telnet (or 23)

Remember tcp is layer 4, and Ip is layer 3

mzinz

Sorry, I was doing it from memory.

There were no syntax errors in my actual config. I did specify TCP, and I also used the correct ACL number.