packet tracer extended ACL with Telnet

alliasneo

Hi Guys,

I have a simple set up of a router and two pc's.I've tried a standard ACL to allow a host to the destination and the telnet works fine.

I have now tried to be more specific and I have added the extended ACL to the vty lines? But the connection is still refused. If I run a simulation the Packet is set on the router I get the following:


Any else had this problem or know why this is happening? Have I configured something incorrectly?

Router#sh access-list
Extended IP access list 101
permit tcp host 172.12.123.1 host 172.12.123.254 eq telnet
deny tcp any any eq telnet

Thanks

CodeBlox

Usually when an entry in the ACL is matched, the "matched counter" (or whatever it's called gets incremented). I do not see that in your access list so... Anyway, have you actually configured the router to allow telnet sessions?

Concerned Water

Need more info. Are you using router on a stick?

alliasneo

No, no vlans or anything. Just all in vlan 1. Here's my config:

Router#sh run
Building configuration...


Current configuration : 867 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.12.123.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
clock rate 2000000
shutdown
!
interface Serial3/0
no ip address
clock rate 2000000
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
!
!
access-list 101 permit tcp host 172.12.123.1 host 172.12.123.254 eq telnet
access-list 101 deny tcp any any eq telnet
!
!
!
!
!
line con 0
line vty 0 4
access-class 101 in
password login
login
!
!
!
end



Router#Extended IP access list 101
permit tcp host 172.12.123.1 host 172.12.123.254 eq telnet
deny tcp any any eq telnet (15 match(es))
Router#

________________________________________


Just tried a couple of telnets and the deny statement is incrementing? In the simulation mode though it doesn't mention the deny statement or the access list when I click on the packets. I'm just wondering if this is something that doesn't work in packet tracer?

Ramair2k

Is the host that you are trying to telnet from configured correctly with the IP? Also is your fast eth interface that the host is connected to in an up/up state? Can you ping the router fastE interface?

CodeBlox

It doesn't look like the vty line is setup to allow telnet sessions. Try adding:

line vty 0
transport input telnet

fsanyee

vty lines use only telnet or ssh, i think it doesn't make too much sense to wire extended access list to allow telnet or ssh access, because nothing else work on vty lines.
keep it simple. use standard access list and transport input telnet or ssh or both.

Ramair2k

fsanyee wrote: »

vty lines use only telnet or ssh, i think it doesn't make too much sense to wire extended access list to allow telnet or ssh access, because nothing else work on vty lines.
keep it simple. use standard access list and transport input telnet or ssh or both.

If he uses a standard ACL, he can only deny a particular host to ingress that router's interface and can not fitler based on protocol. I think this is why he wanted to filter out specefically telnet for the host. He can make it work using an extended ACL but has to do the following:


access-list 101 permit tcp host 172.12.123.1 0.0.0.0 172.12.123.254 eq telnet
access-list 101 deny tcp any any eq telnet


Apply this acl by first removing the original and then adding in the above lines. Try that out. You need to add the wild card masks to specify matching that host's IP address ONLY, hence adding in the 0.0.0.0. This says to match all octets.

CodeBlox

Ramair2k wrote:

access-list 101 permit tcp host 172.12.123.1 0.0.0.0 172.12.123.254 eq telnet
access-list 101 deny tcp any any eq telnet

... Your first line is redundant. The "host" keyword makes it so you don't need to specify the 0.0.0.0 wildcard for the source. Maybe you meant to put that after the destination. Even so, 172.12.123.254 0.0.0.0 gets changed to "host 172.12.123.254" after being added to the ACL.

fsanyee

Ramair2k wrote: »

If he uses a standard ACL, he can only deny a particular host to ingress that router's interface and can not fitler based on protocol. I think this is why he wanted to filter out specefically telnet for the host. He can make it work using an extended ACL but has to do the following: access-list 101 permit tcp host 172.12.123.1 0.0.0.0 172.12.123.254 eq telnet access-list 101 deny tcp any any eq telnet Apply this acl by first removing the original and then adding in the above lines. Try that out. You need to add the wild card masks to specify matching that host's IP address ONLY, hence adding in the 0.0.0.0. This says to match all octets.

this isn't working either. he dont want to apply this acl on an interface, he want to apply it on the vty lines. its like you want to allow ships to use the sea and deny cars, bikes and everything else...

lantech

Don't you have to apply the ACLs to the specific interface? It's been a while since I studied ACLs.

Shouldn't the fa0/0 config look something like this:

interface FastEthernet0/0
ip address 172.12.123.254 255.255.255.0
ip access-group 101 in
duplex auto
speed auto