Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18853
Views
0
Helpful
11
Replies

ACL to deny telnet from any host on subnet

Deanmikawa
Level 1
Level 1

‎11-29-2017 03:15 PM - edited ‎03-05-2019 09:33 AM

Hello, I need to configure an ACL to deny telnet from any host on subnet 135.79.40.0/24 to anything on other subnets.  

I think I want to do something like this:

access-list 150 deny tcp host 135.79.40.0 0.0.0.255 any eq telnet

But I am not getting any results.... How can I configure my ACL to deny telnet requests from hosts on that subnet?

Attatched is a map of the network I am currently working with.  The goal is to deny telnet attempts from host E into router b and c, switch a and b.

Thank you,
Dean

Labels:
Preview file
57 KB
0 Helpful
11 Replies 11

Julio E. Moisa
VIP
VIP

‎11-29-2017 03:43 PM - edited ‎11-29-2017 03:48 PM

Hi

Have you tried to configure the following parameters on Router A' s0/0 interface?

**Also remove the host word, it is used when you are specifying a /32 IP address. There are 2 ways to configure a host, example:

access-list 150 deny tcp host 135.79.40.10 any eq telnet

or 

access-list 150 deny tcp 135.79.40.10 0.0.0.0 any eq telnet 

 

 

Now try this configuration on Router A's serial 0/0 interface 

access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq telnet   

access-list 150 permit ip any any

 

interface s0/0

ip access-group 150 out




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Deanmikawa
Level 1
Level 1
In response to Julio E. Moisa

‎11-29-2017 03:46 PM

access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq telnet
gives me incomplete command

access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq telnet ?
gives me unrecognized command

I have also tried
RouterC(config)#access-list 150 deny tcp host 135.79.40.0 0.0.0.255 135.79.10.2 eq telnet
RouterC(config)#access-list 150 permit ip any any
RouterC(config)#int s0/1
RouterC(config-if)#ip access-group 150 in

and it blocks telnet into router b but allows telnet into everything else


0 Helpful

Julio E. Moisa
VIP
VIP
In response to Deanmikawa

‎11-29-2017 03:49 PM - edited ‎11-29-2017 03:51 PM

 

Hi

 

Try with on RA's Serial 0/0

access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq 23  

access-list 150 permit ip any any

 

int s0/0

ip access-group 150 out




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Deanmikawa
Level 1
Level 1
In response to Julio E. Moisa

‎11-29-2017 03:54 PM

After configuring
access-list 150 deny tcp 135.79.40.0 0.0.0.255 any eq 23

access-list 150 permit ip any any



int s0/0

ip access-group 150 out

I am still able to telnet into the routers from Host e
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Deanmikawa

‎11-29-2017 03:57 PM - edited ‎11-29-2017 03:59 PM

Hi

Have you verified if the configuration is not after of a permit any any on router A? Try to remove the ACL 150 and please try again. 

Also you can check the matches using show access-list 150. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Deanmikawa
Level 1
Level 1
In response to Julio E. Moisa

‎11-29-2017 04:07 PM

ok i have tried again with a fresh router with no configs. 

same result, I am able to telnet into the routers.

posted is a result of show access-list 150 command, doesn't not yield response though.

Preview file
29 KB
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Deanmikawa

‎11-29-2017 04:11 PM

Hi,

You should execute the command on privilege user prompt. (#)

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Deanmikawa
Level 1
Level 1
In response to Julio E. Moisa

‎11-29-2017 04:25 PM - edited ‎11-29-2017 04:27 PM

Ok results:
RouterC#showaccess-list 150
Extended IP access list 150

       deny tcp 135.79.40.0 0.0.0.255 any eq telnet
       permit ip any any

This is after a fresh attempt and am still able to telnet

0 Helpful

Julio E. Moisa
VIP
VIP
In response to Deanmikawa

‎11-29-2017 04:34 PM - edited ‎11-29-2017 04:34 PM

Try this lines just to verify because I dont see hits

 

no access-list 150

access-list 150 deny tcp any any eq 23

access-list 150 permit ip any any

 

int serial 0/0

ip access-group 150 out 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Deanmikawa
Level 1
Level 1
In response to Julio E. Moisa

‎11-29-2017 04:41 PM

Here are results up to first incomplete command: access-list 150 deny tcp any any eq 23

Preview file
24 KB
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Deanmikawa

‎11-29-2017 06:24 PM

Hi

I have not received any error message, are you using bossom?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card