ACL question

Hello Everyone,

I'm hoping someone can answer this question. I'm trying to set up an access list on a router to allow one host to telnet and the other to be denied. The access list is being applied to the router that I'm trying to permit and deny access. Please can you see the commands I have used and tell me if this is incorrect. What happens is both hosts seem to be denied instead of just one.

access-list 101 permit tcp host 192.168.3.7 192.168.4.2 0.0.0.0 eq telnet
access-list 101 deny tcp 192.168.2.4 0.0.0.0 host 192.168.4.2 eq telnet

access-class 101 in

I'm trying to deny host 192.168.2.4 from telnet to router 192.168.4.2.

On the permit statement I want to allow host 192.168.3.7 to telnet to router 192.168.4.2

The statements get applied fine but it denies both hosts instead of one

Any Advice is always much appreciated.

Thanks

C.J

Find more posts tagged with

Comments

wastedtime

It looks good to me although you don't need the deny statement. I would double check that what you have here looks that way on the router, and that the IP addresses are right.

cjthedj45

wastedtime wrote: »

It looks good to me although you don't need the deny statement. I would double check that what you have here looks that way on the router, and that the IP addresses are right.

Hi

Thanks for your reply. How come I don't need the deny statement then? If I want to deny a host from telnet sure I need the deny statement right?

I have just reconfigured the acl list so it is now on fa0/1 of the router instead of using the access-class command this seems to work. One host can now connect using telent and one is denied. I forgot to put in the permit any any statement below though and my eigrp neigbour went down. As soon as I put the any any statment though it seems to work fine.

wastedtime

If you need to deny telnet access to a router you can do it through the access-class under the vty. If you do it under a interface you will block traffic for the interface and not just the vty line. The reason you didn't need the deny statement was due to the implicit deny all at the end of the ACL.

cjthedj45

wastedtime wrote: »

If you need to deny telnet access to a router you can do it through the access-class under the vty. If you do it under a interface you will block traffic for the interface and not just the vty line. The reason you didn't need the deny statement was due to the implicit deny all at the end of the ACL.

Okay got it. So if I use access class it prevent telent access to any of the interfaces which is more secure than just applying it to one interface. I will try and ammend the ACL so that no deny is in and it has just the permit statment.

Thanks for your help

wastedtime

I think you got the part about the deny all in the access-list but I am not sure about where to apply it. If you are just trying to apply it to the one router then the best method would be to go from global config:

Router(config)#line vty 0 15
Router(config-line)#access-class 10 in

Also you wouldn't need a extended access-list this way a standard would work as the router would only check the access-list when a vty connection is attempted.

Also here is a link to relevant Cisco documentation. Controlling Access to a Virtual Terminal Line [Cisco IOS and NX-OS Software] - Cisco Systems

cjthedj45

wastedtime wrote: »

I think you got the part about the deny all in the access-list but I am not sure about where to apply it. If you are just trying to apply it to the one router then the best method would be to go from global config:

Router(config)#line vty 0 15
Router(config-line)#access-class 10 in

Also you wouldn't need a extended access-list this way a standard would work as the router would only check the access-list when a vty connection is attempted.

Also here is a link to relevant Cisco documentation. Controlling Access to a Virtual Terminal Line* [Cisco IOS and NX-OS Software] - Cisco Systems

Woohoo

Thanks a lot. Looks like the standard list was the way to go. I used a standard acl to permit the host address 192.168.3.7. I then used the access-class command and this worked. The implicit deny seems to deny all other telnet traffic apart from the host I permitted.

look at those matches thats me succesfully telnetting to the router

MK#sh access-lists
Standard IP access list 1
permit host 192.168.3.7 (4 match(es))

Many Thanks for helping me through my studies this afternoon. I just had to get that sorted as it was bugging me. Right I'm on to NAT/PAT revision now.

shednik

I had to do something similar to this at work for an audit to block telnet
I would do something like this

Router(config)#ip access-list extended RestrictTelnetIn 
Router(config-ext-nacl)# permit tcp host 192.168.3.7 host 192.168.4.2 eq telnet 
Router(config-ext-nacl)# permit tcp any any neq telent 
Router(config-ext-nacl)# exit 
Router(config)# line vty 0 15 
Router(config-line)# access-class RestrictTelnetIn in 
Router(config)# end 
Router# wr mem

That would be one way to do it and you can change the first permit to any for the destination if you want more then 1 interface to be accessible for management. Hope this helps!

wastedtime

cjthedj45 wrote: »

Woohoo Thanks a lot. Looks like the standard list was the way to go. I used a standard acl to permit the host address 192.168.3.7. I then used the access-class command and this worked. The implicit deny seems to deny all other telnet traffic apart from the host I permitted.

look at those matches thats me succesfully telnetting to the router

MK#sh access-lists
Standard IP access list 1
permit host 192.168.3.7 (4 match(es))

Many Thanks for helping me through my studies this afternoon. I just had to get that sorted as it was bugging me. Right I'm on to NAT/PAT revision now.

No problem those access lists can be tough.

cjthedj45

shednik wrote: »
I had to do something similar to this at work for an audit to block telnet
I would do something like this
Router(config)#ip access-list extended RestrictTelnetIn 
Router(config-ext-nacl)# permit tcp host 192.168.3.7 host 192.168.4.2 eq telnet 
Router(config-ext-nacl)# permit tcp any any neq telent 
Router(config-ext-nacl)# exit 
Router(config)# line vty 0 15 
Router(config-line)# access-class RestrictTelnetIn in 
Router(config)# end 
Router# wr mem  
That would be one way to do it and you can change the first permit to any for the destination if you want more then 1 interface to be accessible for management. Hope this helps!

Hi wouldn't the below overide the implicit deny though. I want allow host 192.168.3.7 and deny host 192.168.1.2?

Router(config-ext-nacl)# permit tcp any any neq telent

wastedtime

That would still block all telnet except the one host but it would still allow everyone in through other tcp protocols such as ssh if the router/switch was configured for ssh. the "neq telnet" means not equal to telnet.