1 2 Previous Next 17 Replies Latest reply: Feb 21, 2013 6:07 AM by Randika RSS

    acl with vty

    Randika

      hello every one
      In Router B  I want to allow telnet access only for vlan 2 (Admin users) .
      i tried many times to do that with this commands
      access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet .

      interface Serial0/0/0

      ip access-group 100 in

      but it is not working all telnet connection denied .

       

      then i tried

      access-list 100 deny tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet

      access-list 100 permit ip any any

      interface Serial0/0/0

      ip access-group 100 in

       

      this is working properly .

       

      Any idea for this  ?

      Thanks
      Randika

        • 1. Re: acl with vty
          Krishna

          Please apply the access-list to line vty.

           


          R1(config)#line vty 0 15
          R1(config-line)#access-class 100 in

           

          Krishna

          • 2. Re: acl with vty
            Randika

            Thanks krishna
            but this is working for standard access list no ???
            Im talking about extended access list

            • 3. Re: acl with vty
              Krishna

              You are right.

               

              Can you please share your network diagram. I can't open your attachment.

               

              Krishna

              • 4. Re: acl with vty
                Krishna

                I am guessing a configuration without seeing your network diagram.

                 

                 

                access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet

                access-list 100 deny tcp any host 192.168.1.202 eq telnet

                access-list 100 permity ip any any

                 

                interface Serial0/0/0

                ip access-group 100 in


                Krishna

                 

                • 5. Re: acl with vty
                  Randika

                  its PT version 5.3.3

                   

                  thanks a lot its working

                  but
                  what is the reason it dosen't work for only this command access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet
                  if you can please expalin me

                  • 6. Re: acl with vty
                    Krishna

                    "access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet" >> This command will permit telnet connection to the host 192.168.1.202 from 192.168.1.32/27 subnet.

                     

                     

                    "access-list 100 deny tcp any host 192.168.1.202 eq telnet"  >> This command is written to deny any other telnet traffic going to the host 192.168.1.202

                     

                     

                    "permity ip any any"  >>  If we dont have this command, all other traffic will be denied because of the implict deny at the bottom of the access-list.

                     

                     

                    Hope I made things clear.

                     

                    Krishna

                    • 7. Re: acl with vty
                      Randika

                      if we entered only  access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet
                      why doens't apply implict deny ?

                       

                      if doen't apply permity ip any any command its also not working

                      • 8. Re: acl with vty
                        Krishna

                        If you are entering only access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet without permity ip any any command, then you are overdenying traffic. All other traffic will hit the implicit deny and will get dropped. Hence to avoid this we will insert permit any any command above the implict deny which is at the very bottom.

                         

                        Krishna

                        • 9. Re: acl with vty
                          Randika

                          got it

                           

                          but if u can see this diagram

                          its working correctly with only this command
                          access-list 110 per tcp ** 192.168.1.11 ** 192.168.1.1 eq 23
                          any idea ?asasas.jpg

                          • 10. Re: acl with vty
                            Krishna

                            After you configure access-list 110 per tcp ** 192.168.1.11 ** 192.168.1.1 eq 23 , are you able to ping from 192.168.1.11 to 192.168.1.1 ?

                             

                            Krishna

                            • 11. Re: acl with vty
                              Randika

                              i can't ping . i can understand that it ll block all protocols expect telent .
                              but my question is why that command not works for this diagram
                              wwwww.JPG

                              • 12. Re: acl with vty
                                Krishna

                                What are you trying to accomplish in this network?

                                 

                                Krishna

                                • 13. Re: acl with vty
                                  Randika

                                  I want to allow telnet access only for vlan 2 (Admin users) in the Router B
                                  im asking why i can't do this with only these three

                                  access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet .

                                  interface Serial0/0/0

                                  ip access-group 100 in

                                  • 14. Re: acl with vty
                                    Krishna

                                    "access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet"

                                     

                                     

                                    By configuring the above access-list statement, you will achieve the goal of permitting telnet traffic from 192.168.1.32/27 network to host 192.168.1.202.

                                     

                                     

                                    But all other traffic will get denied because of the implicit deny. Inorder to avoid this you will have to used permit any any.

                                     

                                     

                                    Problem is if you add permit any any as the 2nd line of the ACL, telnet traffic from all other sources will match the 2nd line and will eventually permitted to telnet the host 192.168.1.202.

                                     

                                     

                                    Just to avoid this we need deny statement that blocks any other telnet traffic to the host 192.168.1.202. That too this statemet has to be placed above the permit any any statement.

                                     

                                     

                                    So the final config should be:

                                     

                                     

                                    access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet
                                    access-list 100 deny tcp any host 192.168.1.202 eq telnet
                                    permit any any

                                     

                                     

                                    Hope I made this clear now!!


                                    Krishna

                                    1 2 Previous Next