Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
0
Helpful
1
Replies

Access list no interface management

Go to solution
digimansam
Level 1
Level 1

‎04-24-2019 06:56 AM

Hi All,

So I'm doing a new test config on a Cisco 881 Router.

I have created four IP subnet pools, I have created four interface VLANs 1,10,20,30 with IP addresses so the router knows what subnet is what. the problem is that I can't seem to put an access-list any of the ports that will be going to a switch. The interface VLAN-10 lets me put an access list onto it to block telnet and SSH but it just keeps working it Does not do anything at all. 

 

What I'm trying to do is only have one management subnet within VLAN 1 that is not going to be Natted to the WAN side.

 

Has anyone come across this before any help would be appreciated  

 

ip source-route
!
ip dhcp excluded-address 192.168.100.0 192.168.100.9
ip dhcp excluded-address 192.168.100.64 192.168.100.69
ip dhcp excluded-address 192.168.100.128 192.168.100.139
ip dhcp excluded-address 192.168.100.192 192.168.100.200
!
ip dhcp pool VLAN-1
network 192.168.100.0 255.255.255.192
default-router 192.168.100.1
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-10
network 192.168.100.64 255.255.255.192
default-router 192.168.100.65
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-20
network 192.168.100.128 255.255.255.192
default-router 192.168.100.129
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-30
network 192.168.100.192 255.255.255.192
dns-server 8.8.8.8
default-router 192.168.100.193
lease 3


!
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.100.1 255.255.255.192
!
interface Vlan10
ip address 192.168.100.65 255.255.255.192
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.100.129 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 192.168.100.193 255.255.255.192
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
!
logging esm config
access-list 1 permit any
access-list 100 deny tcp host 192.168.100.65 eq 22 any
access-list 100 deny tcp host 192.168.100.65 eq telnet any
access-list 100 permit ip any any
!
!
line con 0
exec-timeout 60 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
transport input all
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎04-24-2019 07:25 AM

Hi
these are pure L2 ports as its a soho router , you cant add any IP commands at all to those ports , are you trying to specifiy which port you come in on with SSH etc and outbound ? without an actual MGMT port all you would need acls in both directions and also source the MGMT traffic out by that vlan to try and force it , or MPP feature if supported but i think its only on ios-xe and xr

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎04-24-2019 07:25 AM

Hi
these are pure L2 ports as its a soho router , you cant add any IP commands at all to those ports , are you trying to specifiy which port you come in on with SSH etc and outbound ? without an actual MGMT port all you would need acls in both directions and also source the MGMT traffic out by that vlan to try and force it , or MPP feature if supported but i think its only on ios-xe and xr
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card