Extended ACL question

altdrugzaltdrugz Member Posts: 69 ■■□□□□□□□□
Hello, Im doing some labs in GNS3 and I cant figure out why the following isnt working. What I want to do is to deny the outbound telnet connections from a specific host (192.168.1.2) to the destination (192.168.1.21). As you can see everything matches the line 20 rule... and I can telnet from that host the remote router :S.

R3(config-if)#do show access-lists
Extended IP access list 105
10 deny tcp host 192.168.1.2 eq telnet host 192.168.1.21
20 permit ip any any (157 matches)

I also tried setting the ip access-group 105 out to the "inside" fast ethernet interface and not the serial WAN link but still the same (i guess something is wrong with the syntax?)
PS: I managed to do so with a standard ACL but I dont want to deny everything.
Thanks in advance.

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    Do you have a diagram? Where is the ACL currently?
    An expert is a man who has made all the mistakes which can be made.
  • altdrugzaltdrugz Member Posts: 69 ■■□□□□□□□□
    PicPaste - ACL-MXgxwRZI.png ACL is in R3. Is this happening because host is in a subnet?

    I tried also the following ->

    access-list 105 deny tcp 192.168.1.0 0.0.0.7 eq telnet 192.168.1.20 0.0.0.3

    but wasnt working as well :s
  • iamme4evaiamme4eva Member Posts: 272
    When initiating a telnet connection, you are connecting to a destination port of 23 (implied by the keyword telnet) from a source port randomly generated by the host.

    Your ACL is the wrong way around - the DESTINATION port should eq telnet, not the source port.

    Try:

    10 deny tcp host 192.168.1.2 host 192.168.1.21 eq telnet
    Current objective: CCNA Security
    My blog: mybraindump.co.uk
  • altdrugzaltdrugz Member Posts: 69 ■■□□□□□□□□
    haha doh! thanks iamme4eva... This thing burns my head seriously... icon_sad.gif
  • iamme4evaiamme4eva Member Posts: 272
    Don't thank me til you've tried it - I haven't actually tested it!

    You'll get there - just keep practicing.
    Current objective: CCNA Security
    My blog: mybraindump.co.uk
  • altdrugzaltdrugz Member Posts: 69 ■■□□□□□□□□
    Its working now. Ty.
  • DANMOH009DANMOH009 Member Posts: 241
    I love ACLs and this is the reason why! when you do figure it out and its working you do feel a real sense of accomplishment.
  • kambalpogikambalpogi Member Posts: 38 ■■□□□□□□□□
    Great thing you figure it out
    ACLs are the best !
    Goodluck with your studies!
Sign In or Register to comment.