Some help with an ACL

drew2000 · August 2009

Hey All,
I had no problem with a standard ACL, but I am implementing an extended ACL and it is not working (it is permitting traffic I want it to block).

I am trying to block telnet traffic from my PC (172.16.0.11/16) to a router (172.17.0.3/16).

There is a router in between (172.16.0.1/16 - 172.17.0.1/16), this is where I am placing the ACL.

The ACL is being placed on serial1, (172.17.0.1/16) outbound.

My config is below, since the source and destination were based on 0.0.0.0 wildcard masks, they don't show up in the "show run". This current config blocks all traffic, but I have also tried it with "eq telnet."

Any thoughts would be helpful!

Andrew

(config from the router with the ACL)

interface Serial0
ip address 172.17.0.1 255.255.0.0
ip access-group 100 out
ip authentication mode eigrp 20 md5
ip authentication key-chain eigrp 20 masterlock
encapsulation ppp
shutdown
no fair-queue
!
router eigrp 20
network 172.16.0.0
network 172.17.0.0
auto-summary
!
ip http server
ip classless
!
!
access-list 100 deny tcp host 172.16.0.11 host 172.17.0.3
access-list 100 permit ip any any

peanutnoggin · August 2009

It looks like you're blocking the traffic outbound from the wrong router. You want your access list to block outbound traffic from your 172.16.0.1 router. Since you already have your access-list setup on your 172.17.0.1 router, you can block inbound traffic with your access-list, but this of course would create unnecessary traffic on your WAN link between the routers.

Create the same access-list on your 172.16.0.1 router and block the traffic outbound via that list and you should be okay.

HTH.

V/r

~Peanut

shednik · August 2009

Why don't you just put the acl on the router you want to block it from and apply the ACL in the vty lines. Much easier that way to get the job done...unless I missed why you were trying to do it this way.

drew2000 · August 2009

It's really just to test out the ACL stuff.

It doesn't have to be Telnet, it could be any protocol. I'm just trying to figure out why my ACL doesn't work.

According to Odom, for Extended ACL's are supposed to be placed as close to the source as possible. That's why I put the ACL on the router close to the PC, not the destination router.

Thanks
Drew

drew2000 · August 2009

It's working now. It looks like I had it assigned to the wrong serial interface, but that is really crazy because I thought I checked that already. I'll let you know if I find something else but maybe that was it...

Thanks,
Andrew

beef1218 · August 2009

drew2000 wrote: »

It's really just to test out the ACL stuff.

It doesn't have to be Telnet, it could be any protocol. I'm just trying to figure out why my ACL doesn't work.

According to Odom, for Extended ACL's are supposed to be placed as close to the source as possible. That's why I put the ACL on the router close to the PC, not the destination router.

Thanks
Drew

Right, place it as close to the source as possible. So you should actually place it on the router's ethernet port inbound where your host is connected.

bubble2005 · August 2009

drew2000, you don't even have to go that far if you are using an extended ACL. Since it should be placed closest to the source, you can place it on your local gateway interface (Fastethernet etc)
and use it as inbound acl.

access-list 100 deny tcp host 172.16.0.11 host 172.17.0.3 eq telnet (do not forget that)
access-list 100 permit ip any any

int fa0/0 or e0 (whatever your gateway interface is named)
ip access-group 100 in
then you are done.

Beef1218 is right.

this will evaluate the destination ip and source before you even try to send it to the serial interface, and will also decrease unnecessary traffic coming into the router. Try it out

Some help with an ACL

Comments