ACL to allow internal users to telnet to router

mzinzmzinz Member Posts: 328
I created an ACL to only permit internal traffic to telnet into the router:

ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23

I then applied it to the telnet interface:

#config t
(config)#line vty 0 4
(config-line)#ip access-class 101

Now, once this was done, no internal user could telnet in. I deleted the ACL, and created a standard one instead, and applied it:

(config)#no ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
(config)#ip access-list 10 permit 10.10.38.0 0.0.0.255
(config)#line vty 0 4
(config-line)#no ip access-class 101
(config-line)#ip access-class 10

And then, it worked. So if I understand correctly, the only difference between those was that it wasn't specifying a specific port. Knowing that telnet is 23, why didn't it work?!?!
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801

Comments

  • psrajpsraj Member Posts: 11 ■□□□□□□□□□
    ip access-list 100 extended permit 10.10.38.0 0.0.0.255 host 10.10.38.1 eq 23
    I then applied it to the telnet interface:

    #config t
    (config)#line vty 0 4
    (config-line)#ip access-class 101

    You'r command syntax is incomplete/incorrect here. What were exact comands you used for creating and applying the extended ACLs? Even the list numbers dont match.

  • AlanJamesAlanJames Member Posts: 230
    you need to add TCP in your command

    access-list 101 permit tcp 10.10.38.0 0.0.0.255 host 10.10.38.1 eq telnet (or 23)

    Remember tcp is layer 4, and Ip is layer 3
  • mzinzmzinz Member Posts: 328
    Sorry, I was doing it from memory.

    There were no syntax errors in my actual config. I did specify TCP, and I also used the correct ACL number.
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
Sign In or Register to comment.