topic Access List in Network Security

Access List

alliasneo1 — Fri, 21 Feb 2020 12:53:35 GMT

Hi,

Can someone explain to me why the below access-list does not work? I've been staring at this a while but can't figure it out, I can't telnet in even though I have allowed the tcp traffic:

Extended IP access list NO_TELNET

10 permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log

20 deny ip any any log

Access List

Marvin Rhoads — Mon, 20 May 2013 03:12:09 GMT

What are those two hosts and where have you applied the access-list? Without that information, one needs to make (very possibly incorrect) assumptions about your setup.

What about it isn't working for you?

Access List

alliasneo1 — Mon, 20 May 2013 21:56:53 GMT

Hi Sorry yes I was a bit vague there.

I'm trying to block a particular host from Telnetting to a router and allow another.

I have managed to do this with a standard access-list but now I'm trying with an extended.

I've applied this to the VTY lines of the router using access-class but even though I allowed the particular host through it still gets blocked?

ip access-list extended NO_TELNET

permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log

deny ip any any log

line vty 0 4

access-class NO_TELNET in

password telnet

%SEC-6-IPACCESSLOGP: list NO_TELNET denied tcp 10.0.0.1(55916) -> 0.0.0.0(23), 1 packet

R1#sh ip access-list

Extended IP access list NO_TELNET

10 permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log

20 deny ip any any log (2 matches)

Access List

Marvin Rhoads — Mon, 20 May 2013 22:19:50 GMT

The log entry says the source of traffic was 10.0.0.1. Is that on the router itself with 10.0.0.2 being another interface on the router?

If so, that won't work because access-lists don't apply to traffic generated from the router to itself. You need to introduce traffic to an interface to make an inbound access-list see it and act accordingly.

Additionally, vty lines require you used numbered access-lists (12.2 reference and 15.0 reference). It can be extended but must be numbered not named.

Access List

alliasneo1 — Tue, 21 May 2013 19:51:10 GMT

HI,

I just tried a numbered list but I still can't get in. This is the set up I have:

Access List

Marvin Rhoads — Tue, 21 May 2013 23:22:22 GMT

You're right, the configuration you show looks straightforward and should work from what I've seen posted so far.

Kind of obscure but are there any VRFs on the target router?

One other suggestion would be to make the access list a simple "permit tcp host 10.0.0.2 host 10.0.0.1" and then restrict the access to telnet via "transport input telnet" in the line vty section.

Access List

harvisin — Wed, 29 May 2013 04:16:47 GMT

Hello,

The posible reasons could be as follows:-

1) in line VTY the telnet is not allowed.

2) Access-List is not applied on the interface

3) The only left reason could be that you might have given another IP address to the Router2.

Rest I can't find any other reason for telnet to not happen.

Access List

harvisin — Wed, 29 May 2013 04:20:00 GMT

and one more thing could you please send me the configuratio of R1 and R2 , so that I could check it out.