telnet problem with DACL - Page 2

MihalyBotlik9094 · ‎09-11-2020

Hello all,

I have problem with telnet connection:

the config on the router (on this router want to built a telnet connection):

username usr password 0 pass

line vty 0 4
login local
autocommand access-enable host timeout 5
transport input all

access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

interface GigabitEthernet0/0
description Link to Client
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
media-type rj45

error message on the client:

Client#telnet 10.0.0.1
Trying 10.0.0.1 ... Open

User Access Verification

Username: usr
Password:
[Connection to 10.0.0.1 closed by foreign host]

as you see in the output, it prompts me for username and password, I can type these, but then immediately closed by foreign host, and I do not why! The neighbor interface on the client router has the IP 10.0.0.2, so from the net 10.0.0.0 /24, this is allowed in the dynamic acl. I am using cisco virl 2.0

Can you help me in this case?

Many thanks for your help in advance

Mihaly

Georg Pauwen · ‎09-29-2020

Hello,

the dynamic entry in your access list needs to be the first line:

access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 100 permit tcp any host 10.0.0.1 eq 3050
access-list 100 permit tcp any any established

MihalyBotlik9094 · ‎09-30-2020

Hello,

I have used your config:

access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 100 permit tcp any host 10.0.0.1 eq 3050
access-list 100 permit tcp any any established

in this case I can ping the IP:

Client#ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!

but telnet does not work:

Client#telnet 10.0.0.1 3050
Trying 10.0.0.1, 3050 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************

User Access Verification

Username: usr
Password:
[Connection to 10.0.0.1 closed by foreign host]

Georg Pauwen · ‎09-30-2020

Hello,

post your full running configuration again. I have a feeling something basic is missing...

MihalyBotlik9094 · ‎09-30-2020

Hello,

see the config in the attachement

Mihaly

Georg Pauwen · ‎09-30-2020

Hello,

I think what you are trying to accomplish is not possible with dynamic access lists. They are used to open holes to networks BEHIND the authenticating router. If you want to restrict access to the VTY of the router itself, use an access-class applied directly to the VTY.

MihalyBotlik9094 · ‎09-30-2020

Hello,

how can I configure on the vty?