Acl

lets take a example we take extended ACL and there are router 1 and router 2. taking router 2 as destination i have to put the ACL as close to source as possible in this the telnetting of both of the router are blocked. is there is any method to block telnet of router 1 to router 2 without blocking the telnet of router 2 to router 1? taking any protocol.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

billyr

Telnet would not be blocked to both routers, only the one that you specify in the destination address.

Its probably easier though to use a standard access list applied to the VTY Lines to stop telnet access

GT-Rob

are you trying to apply the ACL to the interface or the VTY line? If you are applying to the VTY line it should only effect the inbound telnet access to THAT router, not the outbound from it to anything else.

capitanuionut

Aman_saini wrote: »

lets take a example we take extended ACL and there are router 1 and router 2. taking router 2 as destination i have to put the ACL as close to source as possible in this the telnetting of both of the router are blocked. is there is any method to block telnet of router 1 to router 2 without blocking the telnet of router 2 to router 1? taking any protocol.

You if have two routers

R1

R2
192.168.1.1/30 192.168.1.2/30

For blocking telnet access on router R2 using acls you can define one standard access list that permits access only the desired users and deny everyone else and apply it to vty lines of R2 with ip access-class <acl> command. If no user needs to access telnet then you better don't configure the vty lines for R2 and telnet will not be permited.

You can also define an extended access list and put it as close as possible to the source...
ip access-list 100 deny tcp any host 192.168.1.2 eq 23
but this will only complicate stuff if you don't need to allow someone to access the R2...

Aman_saini

billyr wrote: »

Telnet would not be blocked to both routers, only the one that you specify in the destination address.

Its probably easier though to use a standard access list applied to the VTY Lines to stop telnet access

what if i am trying to stop ftp
i m struggling with the point that if i place extended access list then i end up with blocking ftp both sides of the router. ftp is the example

MrBrian

Aman_saini wrote: »

what if i am trying to stop ftp
i m struggling with the point that if i place extended access list then i end up with blocking ftp both sides of the router. ftp is the example

What command did you try configuring exactly? With extended access lists you can get pretty specific as to what you want blocked i.e. source and destination addresses of the packets as well as the protocol you want (ftp in your case)...

then it's just a matter of applying the list to the correct interface. Just look at your topology and see if you want the list to check packets coming in a certain interface, or going out a certain interface... If you're unfamiliar with the syntax try using the ? after each argument to see what you need next

Aman_saini

ok buddy give me ur email address i ll send you my packet tracer file in i was trying to block telnet from one side.

MrRyte

Aman_saini wrote: »

ok buddy give me ur email address i ll send you my packet tracer file in i was trying to block telnet from one side.

:

Maybe I'm misreading your post but it seems that you're getting a little annoyed for some reason.....?

Eildor

Question: If you have two routers and you are trying to set up an ACL on one to block telnet to the other -- isn't there an issue with applying the ACL to the source router as it (the source router) originated the traffic?

Aman_saini

Eildor wrote: »

Question: If you have two routers and you are trying to set up an ACL on one to block telnet to the other -- isn't there an issue with applying the ACL to the source router as it (the source router) originated the traffic?

i think yes you are right.

but its not the answer to my question, i want to block telnet from one side

Eildor

Aman_saini wrote: »

i think yes you are right.
but its not the answer to my question, i want to block telnet from one side

Send me the Packet Tracer file eildor@hotmail.co.uk

Eildor

You need to add a "permit ip any any" statement to your ACL. Remember that there is an implicit deny at the end of every ACL, and since you have no permit statements all traffic is denied.

MrBrian

Eildor wrote: »

You need to add a "permit ip any any" statement to your ACL. Remember that there is an implicit deny at the end of every ACL, and since you have no permit statements all traffic is denied.

Think of the access-list as a set of rules for the packets to follow. Let's say you apply the access-list to an interface or vty line for the direction "in." So now that you applied this list, all packets attempting to come "in" on this interface/line will have to pass all the rules you have made in your list. Each packet will go through the list from top to bottom, and if it matches a deny statement, it's done.

And like Eildor said, the thing to remember with these access-lists is that there is an implicit deny (which means you don't see that rule, but it's there) automatically at the end of each list. So if you make a list denying a 'little of this' and denying a 'little of that' but don't put a permit statement anywhere, then ALL traffic will be denied because that invisible deny is sitting there at the end of the list... it took me awhile to understand this at first too!! Hope this helps

Aman_saini

Eildor wrote: »

You need to add a "permit ip any any" statement to your ACL. Remember that there is an implicit deny at the end of every ACL, and since you have no permit statements all traffic is denied.

thankyou very much
i m how stupid forgetting basic command

Aman_saini

MrBrian wrote: »

Think of the access-list as a set of rules for the packets to follow. Let's say you apply the access-list to an interface or vty line for the direction "in." So now that you applied this list, all packets attempting to come "in" on this interface/line will have to pass all the rules you have made in your list. Each packet will go through the list from top to bottom, and if it matches a deny statement, it's done.

And like Eildor said, the thing to remember with these access-lists is that there is an implicit deny (which means you don't see that rule, but it's there) automatically at the end of each list. So if you make a list denying a 'little of this' and denying a 'little of that' but don't put a permit statement anywhere, then ALL traffic will be denied because that invisible deny is sitting there at the end of the list... it took me awhile to understand this at first too!! Hope this helps

ya thanx i appreciate it really help me....

Eildor

Aman_saini wrote: »

thankyou very much
i m how stupid forgetting basic command

No problem, glad I could help.