ACL question
cjthedj45
Member Posts: 331 ■■■□□□□□□□
in CCNA & CCENT
Hello Everyone,
I'm hoping someone can answer this question. I'm trying to set up an access list on a router to allow one host to telnet and the other to be denied. The access list is being applied to the router that I'm trying to permit and deny access. Please can you see the commands I have used and tell me if this is incorrect. What happens is both hosts seem to be denied instead of just one.
access-list 101 permit tcp host 192.168.3.7 192.168.4.2 0.0.0.0 eq telnet
access-list 101 deny tcp 192.168.2.4 0.0.0.0 host 192.168.4.2 eq telnet
access-class 101 in
I'm trying to deny host 192.168.2.4 from telnet to router 192.168.4.2.
On the permit statement I want to allow host 192.168.3.7 to telnet to router 192.168.4.2
The statements get applied fine but it denies both hosts instead of one
Any Advice is always much appreciated.
Thanks
C.J
I'm hoping someone can answer this question. I'm trying to set up an access list on a router to allow one host to telnet and the other to be denied. The access list is being applied to the router that I'm trying to permit and deny access. Please can you see the commands I have used and tell me if this is incorrect. What happens is both hosts seem to be denied instead of just one.
access-list 101 permit tcp host 192.168.3.7 192.168.4.2 0.0.0.0 eq telnet
access-list 101 deny tcp 192.168.2.4 0.0.0.0 host 192.168.4.2 eq telnet
access-class 101 in
I'm trying to deny host 192.168.2.4 from telnet to router 192.168.4.2.
On the permit statement I want to allow host 192.168.3.7 to telnet to router 192.168.4.2
The statements get applied fine but it denies both hosts instead of one
Any Advice is always much appreciated.
Thanks
C.J
Comments
-
wastedtime Member Posts: 586 ■■■■□□□□□□It looks good to me although you don't need the deny statement. I would double check that what you have here looks that way on the router, and that the IP addresses are right.
-
cjthedj45 Member Posts: 331 ■■■□□□□□□□wastedtime wrote: »It looks good to me although you don't need the deny statement. I would double check that what you have here looks that way on the router, and that the IP addresses are right.
Hi
Thanks for your reply. How come I don't need the deny statement then? If I want to deny a host from telnet sure I need the deny statement right?
I have just reconfigured the acl list so it is now on fa0/1 of the router instead of using the access-class command this seems to work. One host can now connect using telent and one is denied. I forgot to put in the permit any any statement below though and my eigrp neigbour went down. As soon as I put the any any statment though it seems to work fine. -
wastedtime Member Posts: 586 ■■■■□□□□□□If you need to deny telnet access to a router you can do it through the access-class under the vty. If you do it under a interface you will block traffic for the interface and not just the vty line. The reason you didn't need the deny statement was due to the implicit deny all at the end of the ACL.
-
cjthedj45 Member Posts: 331 ■■■□□□□□□□wastedtime wrote: »If you need to deny telnet access to a router you can do it through the access-class under the vty. If you do it under a interface you will block traffic for the interface and not just the vty line. The reason you didn't need the deny statement was due to the implicit deny all at the end of the ACL.
Okay got it. So if I use access class it prevent telent access to any of the interfaces which is more secure than just applying it to one interface. I will try and ammend the ACL so that no deny is in and it has just the permit statment.
Thanks for your help -
wastedtime Member Posts: 586 ■■■■□□□□□□I think you got the part about the deny all in the access-list but I am not sure about where to apply it. If you are just trying to apply it to the one router then the best method would be to go from global config:
Router(config)#line vty 0 15
Router(config-line)#access-class 10 in
Also you wouldn't need a extended access-list this way a standard would work as the router would only check the access-list when a vty connection is attempted.
Also here is a link to relevant Cisco documentation. Controlling Access to a Virtual Terminal Line [Cisco IOS and NX-OS Software] - Cisco Systems -
cjthedj45 Member Posts: 331 ■■■□□□□□□□wastedtime wrote: »I think you got the part about the deny all in the access-list but I am not sure about where to apply it. If you are just trying to apply it to the one router then the best method would be to go from global config:
Router(config)#line vty 0 15
Router(config-line)#access-class 10 in
Also you wouldn't need a extended access-list this way a standard would work as the router would only check the access-list when a vty connection is attempted.
Also here is a link to relevant Cisco documentation. Controlling Access to a Virtual Terminal Line* [Cisco IOS and NX-OS Software] - Cisco Systems
Woohoo Thanks a lot. Looks like the standard list was the way to go. I used a standard acl to permit the host address 192.168.3.7. I then used the access-class command and this worked. The implicit deny seems to deny all other telnet traffic apart from the host I permitted.
look at those matches thats me succesfully telnetting to the router
MK#sh access-lists
Standard IP access list 1
permit host 192.168.3.7 (4 match(es))
Many Thanks for helping me through my studies this afternoon. I just had to get that sorted as it was bugging me. Right I'm on to NAT/PAT revision now. -
shednik Member Posts: 2,005I had to do something similar to this at work for an audit to block telnet
I would do something like thisRouter(config)#ip access-list extended RestrictTelnetIn Router(config-ext-nacl)# permit tcp host 192.168.3.7 host 192.168.4.2 eq telnet Router(config-ext-nacl)# permit tcp any any neq telent Router(config-ext-nacl)# exit Router(config)# line vty 0 15 Router(config-line)# access-class RestrictTelnetIn in Router(config)# end Router# wr mem
That would be one way to do it and you can change the first permit to any for the destination if you want more then 1 interface to be accessible for management. Hope this helps! -
wastedtime Member Posts: 586 ■■■■□□□□□□Woohoo Thanks a lot. Looks like the standard list was the way to go. I used a standard acl to permit the host address 192.168.3.7. I then used the access-class command and this worked. The implicit deny seems to deny all other telnet traffic apart from the host I permitted.
look at those matches thats me succesfully telnetting to the router
MK#sh access-lists
Standard IP access list 1
permit host 192.168.3.7 (4 match(es))
Many Thanks for helping me through my studies this afternoon. I just had to get that sorted as it was bugging me. Right I'm on to NAT/PAT revision now.
No problem those access lists can be tough. -
cjthedj45 Member Posts: 331 ■■■□□□□□□□I had to do something similar to this at work for an audit to block telnet
I would do something like thisRouter(config)#ip access-list extended RestrictTelnetIn Router(config-ext-nacl)# permit tcp host 192.168.3.7 host 192.168.4.2 eq telnet Router(config-ext-nacl)# permit tcp any any neq telent Router(config-ext-nacl)# exit Router(config)# line vty 0 15 Router(config-line)# access-class RestrictTelnetIn in Router(config)# end Router# wr mem
That would be one way to do it and you can change the first permit to any for the destination if you want more then 1 interface to be accessible for management. Hope this helps!
Hi wouldn't the below overide the implicit deny though. I want allow host 192.168.3.7 and deny host 192.168.1.2?
Router(config-ext-nacl)# permit tcp any any neq telent -
wastedtime Member Posts: 586 ■■■■□□□□□□That would still block all telnet except the one host but it would still allow everyone in through other tcp protocols such as ssh if the router/switch was configured for ssh. the "neq telnet" means not equal to telnet.