11-29-2017 03:15 PM - edited 03-05-2019 09:33 AM
Hello, I need to configure an ACL to deny telnet from any host on subnet 135.79.40.0/24 to anything on other subnets.
I think I want to do something like this:
access-list 150 deny tcp host 135.79.40.0 0.0.0.255 any eq telnet
But I am not getting any results.... How can I configure my ACL to deny telnet requests from hosts on that subnet?
Attatched is a map of the network I am currently working with. The goal is to deny telnet attempts from host E into router b and c, switch a and b.
Thank you,
Dean
11-29-2017 03:43 PM - edited 11-29-2017 03:48 PM
Hi
Have you tried to configure the following parameters on Router A' s0/0 interface?
**Also remove the host word, it is used when you are specifying a /32 IP address. There are 2 ways to configure a host, example:
access-list 150 deny tcp host 135.79.40.10 any eq telnet
or
access-list 150 deny tcp 135.79.40.10 0.0.0.0 any eq telnet
Now try this configuration on Router A's serial 0/0 interface
access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq telnet
access-list 150 permit ip any any
interface s0/0
ip access-group 150 out
11-29-2017 03:46 PM
11-29-2017 03:49 PM - edited 11-29-2017 03:51 PM
Hi
Try with on RA's Serial 0/0
access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq 23
access-list 150 permit ip any any
int s0/0
ip access-group 150 out
11-29-2017 03:54 PM
11-29-2017 03:57 PM - edited 11-29-2017 03:59 PM
Hi
Have you verified if the configuration is not after of a permit any any on router A? Try to remove the ACL 150 and please try again.
Also you can check the matches using show access-list 150.
11-29-2017 04:07 PM
11-29-2017 04:11 PM
Hi,
You should execute the command on privilege user prompt. (#)
11-29-2017 04:25 PM - edited 11-29-2017 04:27 PM
Ok results:
RouterC#showaccess-list 150
Extended IP access list 150
deny tcp 135.79.40.0 0.0.0.255 any eq telnet
permit ip any any
This is after a fresh attempt and am still able to telnet
11-29-2017 04:34 PM - edited 11-29-2017 04:34 PM
Try this lines just to verify because I dont see hits
no access-list 150
access-list 150 deny tcp any any eq 23
access-list 150 permit ip any any
int serial 0/0
ip access-group 150 out
11-29-2017 04:41 PM
11-29-2017 06:24 PM
Hi
I have not received any error message, are you using bossom?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: