Options
Acl
Aman_saini
Member Posts: 62 ■■■□□□□□□□
in CCNA & CCENT
lets take a example we take extended ACL and there are router 1 and router 2. taking router 2 as destination i have to put the ACL as close to source as possible in this the telnetting of both of the router are blocked. is there is any method to block telnet of router 1 to router 2 without blocking the telnet of router 2 to router 1? taking any protocol.
Comments
-
Optionsbillyr
Member Posts: 186
Telnet would not be blocked to both routers, only the one that you specify in the destination address.
Its probably easier though to use a standard access list applied to the VTY Lines to stop telnet access -
OptionsGT-Rob
Member Posts: 1,090
are you trying to apply the ACL to the interface or the VTY line? If you are applying to the VTY line it should only effect the inbound telnet access to THAT router, not the outbound from it to anything else.
-
Optionscapitanuionut
Member Posts: 55 ■■□□□□□□□□
Aman_saini wrote: »lets take a example we take extended ACL and there are router 1 and router 2. taking router 2 as destination i have to put the ACL as close to source as possible in this the telnetting of both of the router are blocked. is there is any method to block telnet of router 1 to router 2 without blocking the telnet of router 2 to router 1? taking any protocol.
You if have two routers
R1
R2
192.168.1.1/30 192.168.1.2/30
For blocking telnet access on router R2 using acls you can define one standard access list that permits access only the desired users and deny everyone else and apply it to vty lines of R2 with ip access-class <acl> command. If no user needs to access telnet then you better don't configure the vty lines for R2 and telnet will not be permited.
You can also define an extended access list and put it as close as possible to the source...
ip access-list 100 deny tcp any host 192.168.1.2 eq 23
but this will only complicate stuff if you don't need to allow someone to access the R2... -
OptionsAman_saini
Member Posts: 62 ■■■□□□□□□□
what if i am trying to stop ftpTelnet would not be blocked to both routers, only the one that you specify in the destination address.
Its probably easier though to use a standard access list applied to the VTY Lines to stop telnet access
i m struggling with the point that if i place extended access list then i end up with blocking ftp both sides of the router. ftp is the example -
Options
MrBrian
Member Posts: 520
Aman_saini wrote: »what if i am trying to stop ftp
i m struggling with the point that if i place extended access list then i end up with blocking ftp both sides of the router. ftp is the example
What command did you try configuring exactly? With extended access lists you can get pretty specific as to what you want blocked i.e. source and destination addresses of the packets as well as the protocol you want (ftp in your case)...
then it's just a matter of applying the list to the correct interface. Just look at your topology and see if you want the list to check packets coming in a certain interface, or going out a certain interface... If you're unfamiliar with the syntax try using the ? after each argument to see what you need next
Currently reading: Internet Routing Architectures by Halabi -
OptionsAman_saini
Member Posts: 62 ■■■□□□□□□□
ok buddy give me ur email address i ll send you my packet tracer file in i was trying to block telnet from one side.
-
Options
MrRyte
Member Posts: 347 ■■■■□□□□□□
Aman_saini wrote: »ok buddy give me ur email address i ll send you my packet tracer file in i was trying to block telnet from one side.
:
Maybe I'm misreading your post but it seems that you're getting a little annoyed for some reason.....?NEXT UP: CompTIA Security+ :study:
Life is a matter of choice not chance. The path to your destiny will be paved by the decisions that you make every day. -
OptionsEildor
Member Posts: 444
Question: If you have two routers and you are trying to set up an ACL on one to block telnet to the other -- isn't there an issue with applying the ACL to the source router as it (the source router) originated the traffic?
-
OptionsAman_saini
Member Posts: 62 ■■■□□□□□□□
i think yes you are right.Question: If you have two routers and you are trying to set up an ACL on one to block telnet to the other -- isn't there an issue with applying the ACL to the source router as it (the source router) originated the traffic?
but its not the answer to my question, i want to block telnet from one side -
OptionsEildor
Member Posts: 444
Aman_saini wrote: »i think yes you are right. but its not the answer to my question, i want to block telnet from one side
Send me the Packet Tracer file eildor@hotmail.co.uk -
OptionsEildor
Member Posts: 444
You need to add a "permit ip any any" statement to your ACL. Remember that there is an implicit deny at the end of every ACL, and since you have no permit statements all traffic is denied.
-
OptionsMrBrian
Member Posts: 520
You need to add a "permit ip any any" statement to your ACL. Remember that there is an implicit deny at the end of every ACL, and since you have no permit statements all traffic is denied.
Think of the access-list as a set of rules for the packets to follow. Let's say you apply the access-list to an interface or vty line for the direction "in." So now that you applied this list, all packets attempting to come "in" on this interface/line will have to pass all the rules you have made in your list. Each packet will go through the list from top to bottom, and if it matches a deny statement, it's done.
And like Eildor said, the thing to remember with these access-lists is that there is an implicit deny (which means you don't see that rule, but it's there) automatically at the end of each list. So if you make a list denying a 'little of this' and denying a 'little of that' but don't put a permit statement anywhere, then ALL traffic will be denied because that invisible deny is sitting there at the end of the list... it took me awhile to understand this at first too!! Hope this helpsCurrently reading: Internet Routing Architectures by Halabi -
OptionsAman_saini
Member Posts: 62 ■■■□□□□□□□
thankyou very muchYou need to add a "permit ip any any" statement to your ACL. Remember that there is an implicit deny at the end of every ACL, and since you have no permit statements all traffic is denied.
i m how stupid forgetting basic command
-
OptionsAman_saini
Member Posts: 62 ■■■□□□□□□□
ya thanx i appreciate it really help me....Think of the access-list as a set of rules for the packets to follow. Let's say you apply the access-list to an interface or vty line for the direction "in." So now that you applied this list, all packets attempting to come "in" on this interface/line will have to pass all the rules you have made in your list. Each packet will go through the list from top to bottom, and if it matches a deny statement, it's done.
And like Eildor said, the thing to remember with these access-lists is that there is an implicit deny (which means you don't see that rule, but it's there) automatically at the end of each list. So if you make a list denying a 'little of this' and denying a 'little of that' but don't put a permit statement anywhere, then ALL traffic will be denied because that invisible deny is sitting there at the end of the list... it took me awhile to understand this at first too!! Hope this helps
-
OptionsEildor
Member Posts: 444
Aman_saini wrote: »thankyou very much
i m how stupid forgetting basic command
No problem, glad I could help.
