Extended ACL question

altdrugz

Hello, Im doing some labs in GNS3 and I cant figure out why the following isnt working. What I want to do is to deny the outbound telnet connections from a specific host (192.168.1.2) to the destination (192.168.1.21). As you can see everything matches the line 20 rule... and I can telnet from that host the remote router :S.

R3(config-if)#do show access-lists
Extended IP access list 105
10 deny tcp host 192.168.1.2 eq telnet host 192.168.1.21
20 permit ip any any (157 matches)

I also tried setting the ip access-group 105 out to the "inside" fast ethernet interface and not the serial WAN link but still the same (i guess something is wrong with the syntax?)
PS: I managed to do so with a standard ACL but I dont want to deny everything.
Thanks in advance.

networker050184

Do you have a diagram? Where is the ACL currently?

altdrugz

PicPaste - ACL-MXgxwRZI.png ACL is in R3. Is this happening because host is in a subnet?

I tried also the following ->

access-list 105 deny tcp 192.168.1.0 0.0.0.7 eq telnet 192.168.1.20 0.0.0.3

but wasnt working as well

iamme4eva

When initiating a telnet connection, you are connecting to a destination port of 23 (implied by the keyword telnet) from a source port randomly generated by the host.

Your ACL is the wrong way around - the DESTINATION port should eq telnet, not the source port.

Try:

10 deny tcp host 192.168.1.2 host 192.168.1.21 eq telnet

altdrugz

haha doh! thanks iamme4eva... This thing burns my head seriously...

iamme4eva

Don't thank me til you've tried it - I haven't actually tested it!

You'll get there - just keep practicing.

altdrugz

Its working now. Ty.

DANMOH009

I love ACLs and this is the reason why! when you do figure it out and its working you do feel a real sense of accomplishment.

kambalpogi

Great thing you figure it out
ACLs are the best !
Goodluck with your studies!