Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNA) > Discussions

_Communities

1197 Views 17 Replies Latest reply: Feb 21, 2013 6:07 AM by Randika RSS 1 2 Previous Next

Currently Being Moderated

acl with vty

Feb 19, 2013 6:40 PM

hello every one
In Router B  I want to allow telnet access only for vlan 2 (Admin users) .
i tried many times to do that with this commands
access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet .

interface Serial0/0/0

ip access-group 100 in

but it is not working all telnet connection denied .

 

then i tried

access-list 100 deny tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet

access-list 100 permit ip any any

interface Serial0/0/0

ip access-group 100 in

 

this is working properly .

 

Any idea for this  ?

Thanks
Randika

Attachments:
  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    1. Feb 19, 2013 6:56 PM (in response to Randika)
    Re: acl with vty

    Please apply the access-list to line vty.

     


    R1(config)#line vty 0 15
    R1(config-line)#access-class 100 in

     

    Krishna

  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    3. Feb 19, 2013 7:29 PM (in response to Randika)
    Re: acl with vty

    You are right.

     

    Can you please share your network diagram. I can't open your attachment.

     

    Krishna

  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    4. Feb 19, 2013 7:33 PM (in response to Krishna)
    Re: acl with vty

    I am guessing a configuration without seeing your network diagram.

     

     

    access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet

    access-list 100 deny tcp any host 192.168.1.202 eq telnet

    access-list 100 permity ip any any

     

    interface Serial0/0/0

    ip access-group 100 in


    Krishna

     

  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    6. Feb 19, 2013 7:54 PM (in response to Randika)
    Re: acl with vty

    "access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet" >> This command will permit telnet connection to the host 192.168.1.202 from 192.168.1.32/27 subnet.

     

     

    "access-list 100 deny tcp any host 192.168.1.202 eq telnet"  >> This command is written to deny any other telnet traffic going to the host 192.168.1.202

     

     

    "permity ip any any"  >>  If we dont have this command, all other traffic will be denied because of the implict deny at the bottom of the access-list.

     

     

    Hope I made things clear.

     

    Krishna

  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    8. Feb 19, 2013 8:11 PM (in response to Randika)
    Re: acl with vty

    If you are entering only access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet without permity ip any any command, then you are overdenying traffic. All other traffic will hit the implicit deny and will get dropped. Hence to avoid this we will insert permit any any command above the implict deny which is at the very bottom.

     

    Krishna

  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    10. Feb 19, 2013 9:39 PM (in response to Randika)
    Re: acl with vty

    After you configure access-list 110 per tcp ** 192.168.1.11 ** 192.168.1.1 eq 23 , are you able to ping from 192.168.1.11 to 192.168.1.1 ?

     

    Krishna

  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    12. Feb 20, 2013 2:09 AM (in response to Randika)
    Re: acl with vty

    What are you trying to accomplish in this network?

     

    Krishna

  • Krishna 712 posts since
    Aug 24, 2011
    Currently Being Moderated
    14. Feb 20, 2013 3:20 AM (in response to Randika)
    Re: acl with vty

    "access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet"

     

     

    By configuring the above access-list statement, you will achieve the goal of permitting telnet traffic from 192.168.1.32/27 network to host 192.168.1.202.

     

     

    But all other traffic will get denied because of the implicit deny. Inorder to avoid this you will have to used permit any any.

     

     

    Problem is if you add permit any any as the 2nd line of the ACL, telnet traffic from all other sources will match the 2nd line and will eventually permitted to telnet the host 192.168.1.202.

     

     

    Just to avoid this we need deny statement that blocks any other telnet traffic to the host 192.168.1.202. That too this statemet has to be placed above the permit any any statement.

     

     

    So the final config should be:

     

     

    access-list 100 permit tcp 192.168.1.32 0.0.0.31 host 192.168.1.202 eq telnet
    access-list 100 deny tcp any host 192.168.1.202 eq telnet
    permit any any

     

     

    Hope I made this clear now!!


    Krishna

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)