ACL not working

Hi,

Can anyone help me with this. I can't seem to get this ACL working correctly. I'm trying to use an extended list to block telnet traffic but even though I have allowed the traffic through it is still blocked:

Thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

ram1101

remove the deny at the end...it is an implicit denied for standard acls

MAC_Addy

This should be an easy one if you're actually CCNA certified...

DCD

What have you done to troubleshoot this? The fix is pretty simple also this is not the normal way you permit/block VTY access. And you should add the running config.

Master Of Puppets

MAC_Addy wrote: »

This should be an easy one if you're actually CCNA certified...

Valid point.

chX

I can see exactly what the problem is, but after thinking about it... I don't recall ever learning why it works like this from my CCNA studies.

I'll be "that guy" and point out that you need to change the ACL to:

access-list 100 permit tcp host 10.0.0.2 any eq telnet log

Or just use a standard ACL.

I had to do a bit of research to find this out, but it seems the destination IP is stripped from the telnet packet before the ACL applied with access-class is processed. Which is why you're seeing this in your logs:

list 100 denied tcp 10.0.0.2(32066) -> 0.0.0.0(23)

I have a feeling this is to do with the fact that you can have multiple IP addresses on a router, but I'm not really sure. If anyone could expand on the specifics of this, I'd love to know. And if this does get covered in the CCNA, could you point me to where? I really don't remember learning this.

bermovick

I actually labbed this this morning, as I wasn't certain why that wouldn't work either, and noticed the same thing - changing the DEST address to any worked (as would, of course, making it a standard ACL as is suggested), but the specific destination address would not. I didn't have time to research why, so +1 to you chX for researching it and enlightening us all!

And I agree, I don't recall in any of my studies it ever being explained why that wouldn't work, as the syntax appeared to be valid.

DCD

It not covered in the CCNA.

Blackout

DCD wrote: »

It not covered in the CCNA.

Are you seriously stating that ACL are not covered in the CCNA?

chX

Blackout wrote: »

Are you seriously stating that ACL are not covered in the CCNA?

Have a read of my post. I think he's stating that the answer to "why" it works this way is not covered in the CCNA, not ACLs in general.

Blackout

chX wrote: »

Have a read of my post. I think he's stating that the answer to "why" it works this way is not covered in the CCNA, not ACLs in general.

Not the first time I have read something wrong, I need more coffee.

DCD

Blackout wrote: »

Not the first time I have read something wrong, I need more coffee.

LOL, Thanks chX
PS where did you find that info?

alliasneo

thanks chX. That worked perfectly.

I did a ton of ACL'S when working towards my CCNA and I never came across this problem which I'm amazed about.

Sure I could have just used a standard ACL but when you want to try something out you might as well just do it.

So the router strips off the destination address? and this statement

#list 100 denied tcp 10.0.0.2(32066) -> 0.0.0.0(23)

is saying denied this particular host going to anything (0.0.0.0) on port 23.

Hmmm interesting.