ACL to allow internal users to telnet to router
mzinz
Member Posts: 328
in CCNA & CCENT
I created an ACL to only permit internal traffic to telnet into the router:
ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
I then applied it to the telnet interface:
#config t
(config)#line vty 0 4
(config-line)#ip access-class 101
Now, once this was done, no internal user could telnet in. I deleted the ACL, and created a standard one instead, and applied it:
(config)#no ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
(config)#ip access-list 10 permit 10.10.38.0 0.0.0.255
(config)#line vty 0 4
(config-line)#no ip access-class 101
(config-line)#ip access-class 10
And then, it worked. So if I understand correctly, the only difference between those was that it wasn't specifying a specific port. Knowing that telnet is 23, why didn't it work?!?!
ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
I then applied it to the telnet interface:
#config t
(config)#line vty 0 4
(config-line)#ip access-class 101
Now, once this was done, no internal user could telnet in. I deleted the ACL, and created a standard one instead, and applied it:
(config)#no ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
(config)#ip access-list 10 permit 10.10.38.0 0.0.0.255
(config)#line vty 0 4
(config-line)#no ip access-class 101
(config-line)#ip access-class 10
And then, it worked. So if I understand correctly, the only difference between those was that it wasn't specifying a specific port. Knowing that telnet is 23, why didn't it work?!?!
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801
Comments
-
psraj Member Posts: 11 ■□□□□□□□□□ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
I then applied it to the telnet interface:
#config t
(config)#line vty 0 4
(config-line)#ip access-class 101
You'r command syntax is incomplete/incorrect here. What were exact comands you used for creating and applying the extended ACLs? Even the list numbers dont match.
-
AlanJames Member Posts: 230you need to add TCP in your command
access-list 101 permit tcp 10.10.38.0 0.0.0.255 host 10.10.38.1 eq telnet (or 23)
Remember tcp is layer 4, and Ip is layer 3 -
mzinz Member Posts: 328Sorry, I was doing it from memory.
There were no syntax errors in my actual config. I did specify TCP, and I also used the correct ACL number._______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801