11-29-2017 03:15 PM - edited 03-05-2019 09:33 AM
Hello, I need to configure an ACL to deny telnet from any host on subnet 135.79.40.0/24 to anything on other subnets.
I think I want to do something like this:
access-list 150 deny tcp host 135.79.40.0 0.0.0.255 any eq telnet
But I am not getting any results.... How can I configure my ACL to deny telnet requests from hosts on that subnet?
Attatched is a map of the network I am currently working with. The goal is to deny telnet attempts from host E into router b and c, switch a and b.
Thank you,
Dean
11-29-2017 03:43 PM - edited 11-29-2017 03:48 PM
Hi
Have you tried to configure the following parameters on Router A' s0/0 interface?
**Also remove the host word, it is used when you are specifying a /32 IP address. There are 2 ways to configure a host, example:
access-list 150 deny tcp host 135.79.40.10 any eq telnet
or
access-list 150 deny tcp 135.79.40.10 0.0.0.0 any eq telnet
Now try this configuration on Router A's serial 0/0 interface
access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq telnet
access-list 150 permit ip any any
interface s0/0
ip access-group 150 out
11-29-2017 03:46 PM
11-29-2017 03:49 PM - edited 11-29-2017 03:51 PM
Hi
Try with on RA's Serial 0/0
access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq 23
access-list 150 permit ip any any
int s0/0
ip access-group 150 out
11-29-2017 03:54 PM
11-29-2017 03:57 PM - edited 11-29-2017 03:59 PM
Hi
Have you verified if the configuration is not after of a permit any any on router A? Try to remove the ACL 150 and please try again.
Also you can check the matches using show access-list 150.
11-29-2017 04:07 PM
11-29-2017 04:11 PM
Hi,
You should execute the command on privilege user prompt. (#)
11-29-2017 04:25 PM - edited 11-29-2017 04:27 PM
Ok results:
RouterC#showaccess-list 150
Extended IP access list 150
deny tcp 135.79.40.0 0.0.0.255 any eq telnet
permit ip any any
This is after a fresh attempt and am still able to telnet
11-29-2017 04:34 PM - edited 11-29-2017 04:34 PM
Try this lines just to verify because I dont see hits
no access-list 150
access-list 150 deny tcp any any eq 23
access-list 150 permit ip any any
int serial 0/0
ip access-group 150 out
11-29-2017 04:41 PM
11-29-2017 06:24 PM
Hi
I have not received any error message, are you using bossom?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide