Stuck on ACL
Dubuku57
Member Posts: 81 ■■□□□□□□□□
in CCNA & CCENT
Hi,
When configuring ACL on a router interface to prevent telnet traffic, i wrote this ACL list:
Router A: int eth0 (ethernet interface connects to the PCs)
Router A: ip access-group 101 in
My config is smth like this:
Router A connects to PC A(5.1.1.8/24), B(5.1.1.10/24)
Router B to PC C(5.1.2.10/2), PC D(5.1.2.20/24)
Router C to PC E(5.1.3.8/24), PC F(5.1.3.10/24)
RouterA--RouterB--RouterC
Now suddenly PC F is not able to telnet into PC B..Why is this so? Shouldnt it be just PC B not able to telnet PC E and PC F?
Thanks guys!
When configuring ACL on a router interface to prevent telnet traffic, i wrote this ACL list:
access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnet
access-list 101 permit any anyRouter A: int eth0 (ethernet interface connects to the PCs)
Router A: ip access-group 101 in
My config is smth like this:
Router A connects to PC A(5.1.1.8/24), B(5.1.1.10/24)
Router B to PC C(5.1.2.10/2), PC D(5.1.2.20/24)
Router C to PC E(5.1.3.8/24), PC F(5.1.3.10/24)
RouterA--RouterB--RouterC
Now suddenly PC F is not able to telnet into PC B..Why is this so? Shouldnt it be just PC B not able to telnet PC E and PC F?
Thanks guys!
Comments
-
Danny0990
Member Posts: 14 ■□□□□□□□□□
to prevent telnet you need to apply the list to your vty
so you would be doing:
line vty 0 4
access-class _____ in
login -
Forsaken_GA
Member Posts: 4,024
without seeing your exact topology and all of the configs, I'd bet that your return traffic is getting bumped by the ACL -
Dubuku57
Member Posts: 81 ■■□□□□□□□□
Hi Danny,
Doesnt this command 'access class' only apply is i want to restrict access to the router itself? But my acl is trying to restrict the telnet traffic to the PCs...Is it the same?
Actually im unabe to telnet from any PC to any PC.. do i need to set passwords on the vty lines of the routers?
Think im confusing myself...argh! -
Forsaken_GA
Member Posts: 4,024
if you're trying to telnet directly to your computers, they need to be running a telnet server to receive and process that traffic. most operating systems these days don't run a telnet daemon by default, it's something you have to enable on purpose (telnet is quite insecure, passwords are transmitted in clear text and can be sniffed on the wire, which is why ssh has replaced it for most of the world)
Setting passwords and access class on the router will only effect traffic destined for the router, not passing through it to another address -
Dubuku57
Member Posts: 81 ■■□□□□□□□□
Oh! How do i find out if the telnet daemon is running on the PC? The error message when i try to telnet out is
"Connection to x.x.x.x is closed by foriegn host"(from anh PC to router) - this cus i din set the password i guess.
"Connection refused by remote host"(from PC F,C,etc to PC B,D,etc)
"Connection timed out;Remote host not responding" (from PC B to F only)
Is there any specific error message that can tell me which it is?
Thanks lot.. -
Forsaken_GA
Member Posts: 4,024
while logged into that pc, drop to a command prompt and type
telnet localhost
if it tells you connection refused, you aint running a telnet daemon on that box -
Dubuku57
Member Posts: 81 ■■□□□□□□□□
Since im unable to test this out, could you pls enlighten me on what the behaivour would be? Im thinking with the ACL(below), PC B wont be able to telnet PC E and F. But im wondering if PC E and F would be able to telnet into B? Like would returning traffic be blocked also(like in the case of HTTP)?
access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnetaccess-list 101 permit any any
Router A: int eth0 (ethernet interface connects to the PCs)
Router A: ip access-group 101 in
Thanks again!
-
Dubuku57
Member Posts: 81 ■■□□□□□□□□
Any advice on returning telnet(or any other traffic) for the above problem? Thanks so much...
