05-19-2013 03:02 PM - edited 02-21-2020 04:53 AM
Hi,
Can someone explain to me why the below access-list does not work? I've been staring at this a while but can't figure it out, I can't telnet in even though I have allowed the tcp traffic:
Extended IP access list NO_TELNET
10 permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log
20 deny ip any any log
05-19-2013 08:12 PM
What are those two hosts and where have you applied the access-list? Without that information, one needs to make (very possibly incorrect) assumptions about your setup.
What about it isn't working for you?
05-20-2013 02:56 PM
Hi Sorry yes I was a bit vague there.
I'm trying to block a particular host from Telnetting to a router and allow another.
I have managed to do this with a standard access-list but now I'm trying with an extended.
I've applied this to the VTY lines of the router using access-class but even though I allowed the particular host through it still gets blocked?
ip access-list extended NO_TELNET
permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log
deny ip any any log
!
line vty 0 4
access-class NO_TELNET in
password telnet
login
%SEC-6-IPACCESSLOGP: list NO_TELNET denied tcp 10.0.0.1(55916) -> 0.0.0.0(23), 1 packet
R1#sh ip access-list
Extended IP access list NO_TELNET
10 permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log
20 deny ip any any log (2 matches)
05-20-2013 03:19 PM
The log entry says the source of traffic was 10.0.0.1. Is that on the router itself with 10.0.0.2 being another interface on the router?
If so, that won't work because access-lists don't apply to traffic generated from the router to itself. You need to introduce traffic to an interface to make an inbound access-list see it and act accordingly.
Additionally, vty lines require you used numbered access-lists (12.2 reference and 15.0 reference). It can be extended but must be numbered not named.
05-21-2013 12:51 PM
HI,
I just tried a numbered list but I still can't get in. This is the set up I have:
05-21-2013 04:22 PM
You're right, the configuration you show looks straightforward and should work from what I've seen posted so far.
Kind of obscure but are there any VRFs on the target router?
One other suggestion would be to make the access list a simple "permit tcp host 10.0.0.2 host 10.0.0.1" and then restrict the access to telnet via "transport input telnet" in the line vty section.
05-28-2013 09:16 PM
Hello,
The posible reasons could be as follows:-
1) in line VTY the telnet is not allowed.
2) Access-List is not applied on the interface
3) The only left reason could be that you might have given another IP address to the Router2.
Rest I can't find any other reason for telnet to not happen.
05-28-2013 09:20 PM
and one more thing could you please send me the configuratio of R1 and R2 , so that I could check it out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide