Extended ACL question
altdrugz
Member Posts: 69 ■■□□□□□□□□
in CCNA & CCENT
Hello, Im doing some labs in GNS3 and I cant figure out why the following isnt working. What I want to do is to deny the outbound telnet connections from a specific host (192.168.1.2) to the destination (192.168.1.21). As you can see everything matches the line 20 rule... and I can telnet from that host the remote router :S.
R3(config-if)#do show access-lists
Extended IP access list 105
10 deny tcp host 192.168.1.2 eq telnet host 192.168.1.21
20 permit ip any any (157 matches)
I also tried setting the ip access-group 105 out to the "inside" fast ethernet interface and not the serial WAN link but still the same (i guess something is wrong with the syntax?)
PS: I managed to do so with a standard ACL but I dont want to deny everything.
Thanks in advance.
R3(config-if)#do show access-lists
Extended IP access list 105
10 deny tcp host 192.168.1.2 eq telnet host 192.168.1.21
20 permit ip any any (157 matches)
I also tried setting the ip access-group 105 out to the "inside" fast ethernet interface and not the serial WAN link but still the same (i guess something is wrong with the syntax?)
PS: I managed to do so with a standard ACL but I dont want to deny everything.
Thanks in advance.
Comments
-
networker050184 Mod Posts: 11,962 ModDo you have a diagram? Where is the ACL currently?An expert is a man who has made all the mistakes which can be made.
-
altdrugz Member Posts: 69 ■■□□□□□□□□PicPaste - ACL-MXgxwRZI.png ACL is in R3. Is this happening because host is in a subnet?
I tried also the following ->
access-list 105 deny tcp 192.168.1.0 0.0.0.7 eq telnet 192.168.1.20 0.0.0.3
but wasnt working as well -
iamme4eva Member Posts: 272When initiating a telnet connection, you are connecting to a destination port of 23 (implied by the keyword telnet) from a source port randomly generated by the host.
Your ACL is the wrong way around - the DESTINATION port should eq telnet, not the source port.
Try:
10 deny tcp host 192.168.1.2 host 192.168.1.21 eq telnetCurrent objective: CCNA Security
My blog: mybraindump.co.uk -
altdrugz Member Posts: 69 ■■□□□□□□□□haha doh! thanks iamme4eva... This thing burns my head seriously...
-
iamme4eva Member Posts: 272Don't thank me til you've tried it - I haven't actually tested it!
You'll get there - just keep practicing.Current objective: CCNA Security
My blog: mybraindump.co.uk -
DANMOH009 Member Posts: 241I love ACLs and this is the reason why! when you do figure it out and its working you do feel a real sense of accomplishment.
-
kambalpogi Member Posts: 38 ■■□□□□□□□□Great thing you figure it out
ACLs are the best !
Goodluck with your studies!