Named acl not denying telnet access

phoeneousphoeneous Go ping yourself...Posts: 2,331Member ■■■■■■■□□□
In prep for icnd2 im working on my acl's because I suck at them as you can see.

What Im trying to do is deny telnet access from 192.168.3.0/24 to 192.168.1.1/24 (R1). Permit telnet access for anyone else.

I created this acl on R1's vty and applied it inbound:
deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet
permit ip any any

---

line vty 0 4
 access-class NO_OUTSIDE_TELNET in
 password 7 0822455D0A16
 login local

And as you can see I keep getting matches on the permit line...
R1# sh ip acc
Extended IP access list NO_OUTSIDE_TELNET
    deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet
    permit ip any any (4 match(es))

However, when I place the acl inbound on R2's fa0/0, it blocks the access.

Which is the appropriate way to apply this acl? See attached screenshot.

Comments

  • Daniel333Daniel333 Posts: 2,072Member ■■■■■■□□□□
    -Daniel
  • miller811miller811 Posts: 897Member
    Extended Access Lists...
    ...filter (permit or deny) based on the:
    source address
    destination address
    protocol
    port number
    ... are placed close to the source.
    ...work at both layer 3 and 4 of the OSI model.
    I don't claim to be an expert, but I sure would like to become one someday.

    Quest for 11K pages read in 2011
    Page Count total to date - 1283
  • phoeneousphoeneous Go ping yourself... Posts: 2,331Member ■■■■■■■□□□
    miller811 wrote: »
    Extended Access Lists...
    ...filter (permit or deny) based on the:
    source address
    destination address
    protocol
    port number
    ... are placed close to the source.
    ...work at both layer 3 and 4 of the OSI model.

    With the exception of vty lines or no?
  • georgemcgeorgemc Posts: 429Member
    phoeneous wrote: »
    In prep for icnd2 im working on my acl's because I suck at them as you can see.

    What Im trying to do is deny telnet access from 192.168.3.0/24 to 192.168.1.1/24 (R1). Permit telnet access for anyone else.

    I created this acl on R1's vty and applied it inbound:
    deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet
    permit ip any any
    
    ---
    
    line vty 0 4
     access-class NO_OUTSIDE_TELNET in
     password 7 0822455D0A16
     login local
    

    And as you can see I keep getting matches on the permit line...
    R1# sh ip acc
    Extended IP access list NO_OUTSIDE_TELNET
        deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.1 eq telnet
        permit ip any any (4 match(es))
    

    However, when I place the acl inbound on R2's fa0/0, it blocks the access.

    Which is the appropriate way to apply this acl? See attached screenshot.


    Try using "ANY" for you destination address and see how that works. Remember, your router has multiple IP addresses normally. You want to deny access to the entire router not just one address. ACLs applied to the VTY lines normally affect access to all addresses on the router, but you negate that affect when you specify an IP address.

    Typically, you would use permit statements and a standard ACL to control Virtual Terminal access to your routers. Even if I wanted to, let's say, permit SSH access, but not allow Telnet to be used, I would still use permit statements to only allow the small number of addresses I want to allow 'telnet' access to and then deny everyone else. Basically meaning that I would have a "whitelist" instead of a "blacklist" such as you're using.


    George
    WGU BS: Business - Information Technology Management
    Start Date: 01 October 2012
    QFT1,PFIT in progress.
    TRANSFERRED/COMPLETED: AGC1,BBC1,LAE1,QBT1,LUT1,QLC1,QMC1,QLT1,IWC1,INC1,INT1,BVC1,CLC1,MGC1, CWV1 BNC1, LIT1,LWC1,QAT1,WFV1,EST1,EGC1,EGT1,IWT1,MKC1,MKT1,RWT1,FNT1,FNC1, BDC1,TPV1 REQUIRED:
  • mgeorgemgeorge Posts: 777Member
    Try using a standard named ACL and reverse your logic instead of picking out specific host you wish you deny; in this case you can deny that host by placing it at the top of the acl if it falls in a network range that is permitted because ACL's are processed top down till the first match is found.

    Keep in mind that the device will listen for the transport input protocol on all available IP enabed interfaces so using a deny statement specifying an ip address local to the device when the device has multiple ip interfaces can fail to secure the device.

    ip access-list standard VTY_ACCESS
    10 deny host 172.16.20.82
    20 permit 172.16.20.0 0.0.0.255
    30 permit 172.16.22.0 0.0.0.255
    500 deny any log
    !
    line vty 0 4
    access-class VTY_ACCESS in

    As shown above you can see that the network 172.16.20.0/24 is permitted vty access but the host 172.16.20.82 which falls in the permitted network would be denied as that ACE (access control entry) specifying an action for that host is processed prior to the network ACE.

    I personally see no reason to use extended access-list unless you are mixing SSH and Telnet administrative protocols and wish to specify which networks can access the device via telnet and which networks can access the device via SSH. Example shown below;

    ip access-list extended VTY_ACCESS
    10 deny ip host 172.16.20.82 any
    20 permit tcp 172.16.20.0 0.0.0.255 any eq 22
    20 permit tcp 172.16.22.0 0.0.0.255 any eq telnet
    500 deny any log
    !
    line vty 0 4
    access-class VTY_ACCESS in

    host 172.16.20.82 would be denied access completely to the vty lines, any host in the network 172.16.20.0/24 (excluding the previous host on line 10) would be permitted only to access the device via ssh and the network 172.16.22.0/24 can only access the vty lines via telnet, all other connections would be denied.

    Hope this helps :D
    There is no place like 127.0.0.1
  • phoeneousphoeneous Go ping yourself... Posts: 2,331Member ■■■■■■■□□□
    This helps immensely, thank you!
  • tzwtzw Posts: 1Registered Users ■□□□□□□□□□
    Hi could you guys I have similar issue. I have two routers A and B both router have 2 loopback interfaces.
    -Router A has loopback int 0 192.168.1.1/24 loopback int 1 192.168.2.1/24
    -Router B has loopback int 0 10.1.1.1/24 loopback int 1 10.2.2.2/24
    -EIGRP has been configured on both router and adjacency has been successfully made

    Now I am trying to add a name ACL on Router B; only Telnetting to 10.2.2.2 should be permitted and this is my configuration. I cannot get it work as I wanted. All the telnet connections has been unsuccessful including 10.2.2.2. Help pls

    B#show ip access-lists
    Extended IP access list telnet
    10 permit tcp any host 10.2.2.2
    20 deny tcp any host 172.16.1.6 eq telnet log
    30 deny tcp any host 10.1.1.1 eq telnet log
    B#
  • theodoxatheodoxa Posts: 1,340Member
    For lines (VTY), I would use a standard ACL. You have already configured what protocols you will accept with "transport in telnet", "transport in ssh", etc...so there is no need to match ports or protocols on the ACL. The destination is always an IP on the router itself so there isn't really a need to match destination. The only thing you need to be concerned with is where the traffic is coming from. Normally, you would want to whitelist (permit) rather than blacklist (deny), leaving any source not explicitly permitted to be implicitly denied.
    ip access-list standard ALLOW_TELNET
    permit 192.168.3.0 0.0.0.255
    

    For other types of devices, this is even simpler to whitelist sources. For example, an ASA Firewall allows you to configure which management protocols are allowed from which sources and on what interfaces with a single command per protocol/source/interface combination.
    telnet 192.168.3.0 255.255.255.0 inside
    

    If you truly want to block the 192.168.3.0 network from telnetting to the router, then place an extended ACL where the 192.168.3.0 network connects to the rest of your network and configure it like your original ACL.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
Sign In or Register to comment.