Named acl not denying telnet access
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
in CCNA & CCENT
In prep for icnd2 im working on my acl's because I suck at them as you can see.
What Im trying to do is deny telnet access from 192.168.3.0/24 to 192.168.1.1/24 (R1). Permit telnet access for anyone else.
I created this acl on R1's vty and applied it inbound:
And as you can see I keep getting matches on the permit line...
However, when I place the acl inbound on R2's fa0/0, it blocks the access.
Which is the appropriate way to apply this acl? See attached screenshot.
What Im trying to do is deny telnet access from 192.168.3.0/24 to 192.168.1.1/24 (R1). Permit telnet access for anyone else.
I created this acl on R1's vty and applied it inbound:
deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet permit ip any any --- line vty 0 4 access-class NO_OUTSIDE_TELNET in password 7 0822455D0A16 login local
And as you can see I keep getting matches on the permit line...
R1# sh ip acc Extended IP access list NO_OUTSIDE_TELNET deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet permit ip any any (4 match(es))
However, when I place the acl inbound on R2's fa0/0, it blocks the access.
Which is the appropriate way to apply this acl? See attached screenshot.
Comments
-
miller811 Member Posts: 897Extended Access Lists...
...filter (permit or deny) based on the:
source address
destination address
protocol
port number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.I don't claim to be an expert, but I sure would like to become one someday.
Quest for 11K pages read in 2011
Page Count total to date - 1283 -
phoeneous Member Posts: 2,333 ■■■■■■■□□□Extended Access Lists...
...filter (permit or deny) based on the:
source address
destination address
protocol
port number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
With the exception of vty lines or no? -
georgemc Member Posts: 429In prep for icnd2 im working on my acl's because I suck at them as you can see.
What Im trying to do is deny telnet access from 192.168.3.0/24 to 192.168.1.1/24 (R1). Permit telnet access for anyone else.
I created this acl on R1's vty and applied it inbound:deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet permit ip any any --- line vty 0 4 access-class NO_OUTSIDE_TELNET in password 7 0822455D0A16 login local
And as you can see I keep getting matches on the permit line...R1# sh ip acc Extended IP access list NO_OUTSIDE_TELNET deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet permit ip any any (4 match(es))
However, when I place the acl inbound on R2's fa0/0, it blocks the access.
Which is the appropriate way to apply this acl? See attached screenshot.
Try using "ANY" for you destination address and see how that works. Remember, your router has multiple IP addresses normally. You want to deny access to the entire router not just one address. ACLs applied to the VTY lines normally affect access to all addresses on the router, but you negate that affect when you specify an IP address.
Typically, you would use permit statements and a standard ACL to control Virtual Terminal access to your routers. Even if I wanted to, let's say, permit SSH access, but not allow Telnet to be used, I would still use permit statements to only allow the small number of addresses I want to allow 'telnet' access to and then deny everyone else. Basically meaning that I would have a "whitelist" instead of a "blacklist" such as you're using.
GeorgeWGU BS: Business - Information Technology Management
Start Date: 01 October 2012
QFT1,PFIT in progress.
TRANSFERRED/COMPLETED: AGC1,BBC1,LAE1,QBT1,LUT1,QLC1,QMC1,QLT1,IWC1,INC1,INT1,BVC1,CLC1,MGC1, CWV1 BNC1, LIT1,LWC1,QAT1,WFV1,EST1,EGC1,EGT1,IWT1,MKC1,MKT1,RWT1,FNT1,FNC1, BDC1,TPV1 REQUIRED: -
mgeorge Member Posts: 774 ■■■□□□□□□□Try using a standard named ACL and reverse your logic instead of picking out specific host you wish you deny; in this case you can deny that host by placing it at the top of the acl if it falls in a network range that is permitted because ACL's are processed top down till the first match is found.
Keep in mind that the device will listen for the transport input protocol on all available IP enabed interfaces so using a deny statement specifying an ip address local to the device when the device has multiple ip interfaces can fail to secure the device.
ip access-list standard VTY_ACCESS
10 deny host 172.16.20.82
20 permit 172.16.20.0 0.0.0.255
30 permit 172.16.22.0 0.0.0.255
500 deny any log
!
line vty 0 4
access-class VTY_ACCESS in
As shown above you can see that the network 172.16.20.0/24 is permitted vty access but the host 172.16.20.82 which falls in the permitted network would be denied as that ACE (access control entry) specifying an action for that host is processed prior to the network ACE.
I personally see no reason to use extended access-list unless you are mixing SSH and Telnet administrative protocols and wish to specify which networks can access the device via telnet and which networks can access the device via SSH. Example shown below;
ip access-list extended VTY_ACCESS
10 deny ip host 172.16.20.82 any
20 permit tcp 172.16.20.0 0.0.0.255 any eq 22
20 permit tcp 172.16.22.0 0.0.0.255 any eq telnet
500 deny any log
!
line vty 0 4
access-class VTY_ACCESS in
host 172.16.20.82 would be denied access completely to the vty lines, any host in the network 172.16.20.0/24 (excluding the previous host on line 10) would be permitted only to access the device via ssh and the network 172.16.22.0/24 can only access the vty lines via telnet, all other connections would be denied.
Hope this helpsThere is no place like 127.0.0.1 -
tzw Registered Users Posts: 1 ■□□□□□□□□□Hi could you guys I have similar issue. I have two routers A and B both router have 2 loopback interfaces.
-Router A has loopback int 0 192.168.1.1/24 loopback int 1 192.168.2.1/24
-Router B has loopback int 0 10.1.1.1/24 loopback int 1 10.2.2.2/24
-EIGRP has been configured on both router and adjacency has been successfully made
Now I am trying to add a name ACL on Router B; only Telnetting to 10.2.2.2 should be permitted and this is my configuration. I cannot get it work as I wanted. All the telnet connections has been unsuccessful including 10.2.2.2. Help pls
B#show ip access-lists
Extended IP access list telnet
10 permit tcp any host 10.2.2.2
20 deny tcp any host 172.16.1.6 eq telnet log
30 deny tcp any host 10.1.1.1 eq telnet log
B# -
theodoxa Member Posts: 1,340 ■■■■□□□□□□For lines (VTY), I would use a standard ACL. You have already configured what protocols you will accept with "transport in telnet", "transport in ssh", etc...so there is no need to match ports or protocols on the ACL. The destination is always an IP on the router itself so there isn't really a need to match destination. The only thing you need to be concerned with is where the traffic is coming from. Normally, you would want to whitelist (permit) rather than blacklist (deny), leaving any source not explicitly permitted to be implicitly denied.
ip access-list standard ALLOW_TELNET permit 192.168.3.0 0.0.0.255
For other types of devices, this is even simpler to whitelist sources. For example, an ASA Firewall allows you to configure which management protocols are allowed from which sources and on what interfaces with a single command per protocol/source/interface combination.telnet 192.168.3.0 255.255.255.0 inside
If you truly want to block the 192.168.3.0 network from telnetting to the router, then place an extended ACL where the 192.168.3.0 network connects to the rest of your network and configure it like your original ACL.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]