ACL not working

alliasneo · May 2013

Hi,

Can anyone help me with this. I can't seem to get this ACL working correctly. I'm trying to use an extended list to block telnet traffic but even though I have allowed the traffic through it is still blocked:

Thanks

ram1101 · May 2013

remove the deny at the end...it is an implicit denied for standard acls

MAC_Addy · May 2013

This should be an easy one if you're actually CCNA certified...

DCD · May 2013

What have you done to troubleshoot this? The fix is pretty simple also this is not the normal way you permit/block VTY access. And you should add the running config.

Master Of Puppets · May 2013

MAC_Addy wrote: »

This should be an easy one if you're actually CCNA certified...

Valid point.

chX · May 2013

I can see exactly what the problem is, but after thinking about it... I don't recall ever learning why it works like this from my CCNA studies.

I'll be "that guy" and point out that you need to change the ACL to:

access-list 100 permit tcp host 10.0.0.2 any eq telnet log

Or just use a standard ACL.

I had to do a bit of research to find this out, but it seems the destination IP is stripped from the telnet packet before the ACL applied with access-class is processed. Which is why you're seeing this in your logs:

list 100 denied tcp 10.0.0.2(32066) -> 0.0.0.0(23)

I have a feeling this is to do with the fact that you can have multiple IP addresses on a router, but I'm not really sure. If anyone could expand on the specifics of this, I'd love to know. And if this does get covered in the CCNA, could you point me to where? I really don't remember learning this.

bermovick · May 2013

I actually labbed this this morning, as I wasn't certain why that wouldn't work either, and noticed the same thing - changing the DEST address to any worked (as would, of course, making it a standard ACL as is suggested), but the specific destination address would not. I didn't have time to research why, so +1 to you chX for researching it and enlightening us all!

And I agree, I don't recall in any of my studies it ever being explained why that wouldn't work, as the syntax appeared to be valid.

DCD · May 2013

It not covered in the CCNA.

Blackout · May 2013

DCD wrote: »

It not covered in the CCNA.

Are you seriously stating that ACL are not covered in the CCNA?

chX · May 2013

Blackout wrote: »

Are you seriously stating that ACL are not covered in the CCNA?

Have a read of my post. I think he's stating that the answer to "why" it works this way is not covered in the CCNA, not ACLs in general.

Blackout · May 2013

chX wrote: »

Have a read of my post. I think he's stating that the answer to "why" it works this way is not covered in the CCNA, not ACLs in general.

Not the first time I have read something wrong, I need more coffee.

DCD · May 2013

Blackout wrote: »

Not the first time I have read something wrong, I need more coffee.

LOL, Thanks chX
PS where did you find that info?

alliasneo · May 2013

thanks chX. That worked perfectly.

I did a ton of ACL'S when working towards my CCNA and I never came across this problem which I'm amazed about.

Sure I could have just used a standard ACL but when you want to try something out you might as well just do it.

So the router strips off the destination address? and this statement

#list 100 denied tcp 10.0.0.2(32066) -> 0.0.0.0(23)

is saying denied this particular host going to anything (0.0.0.0) on port 23.

Hmmm interesting.

ACL not working

Comments