telnet problem with DACL

MihalyBotlik9094 · ‎09-11-2020

Hello all,

I have problem with telnet connection:

the config on the router (on this router want to built a telnet connection):

username usr password 0 pass

line vty 0 4
login local
autocommand access-enable host timeout 5
transport input all

access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

interface GigabitEthernet0/0
description Link to Client
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
media-type rj45

error message on the client:

Client#telnet 10.0.0.1
Trying 10.0.0.1 ... Open

User Access Verification

Username: usr
Password:
[Connection to 10.0.0.1 closed by foreign host]

as you see in the output, it prompts me for username and password, I can type these, but then immediately closed by foreign host, and I do not why! The neighbor interface on the client router has the IP 10.0.0.2, so from the net 10.0.0.0 /24, this is allowed in the dynamic acl. I am using cisco virl 2.0

Can you help me in this case?

Many thanks for your help in advance

Mihaly

balaji.bandi · ‎09-11-2020

Looks intresting, the commands are simple it should work as expected.

i can only think of as of now - since we do not have complete config of the device - post the full show run

Quick test you can do :

1. Do you have AAA configured ? on the global config ?

if not add below and test :

config t

!

aaa new-model

!

end

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MihalyBotlik9094 · ‎09-11-2020

Hello Balaji,

so I can ping the IP 172.16.0.2 (its the IP from the other net, allowed by the dACL), but the telnet still not working.

see the router config in the attachement.

Thanks for your help!

Mihaly

Georg Pauwen · ‎09-11-2020

Hello,

you are missing the command:

username usr autocommand access-enable host

Once you TELNET to 10.0.0.1 (from a host in the 10.0.0.0/24 network) the authentication is performed on the router. After you enter the username and password, the connection closes. You should see the additional permit entry marked in bold. You can now access the 172.16.0.0/24 network.

Router#sh access-lists
Extended IP access list 100
10 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet (24 matches)
20 Dynamic MYLIST permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
permit ip host 10.0.0.2 172.16.0.0 0.0.0.255

MihalyBotlik9094 · ‎09-14-2020

Hello Georg,

I have tired it, does not work, but thank you for your help!

Mihaly

Georg Pauwen · ‎09-15-2020

Hello,

what are you trying to accomplish ?

You will always be disconnected, that is what the dynamic access list does. But after you are disconnected, a dynamic entry is added to your access list, which allows access from the network you specified.

Once you are disconnected, check for an extra line in the output of 'show access-lists'...

MihalyBotlik9094 · ‎09-16-2020

Hello,

yes I can ping the IP 172.16.0.2 from the 10.0.0.0 net, but the telnet does not work.

however this line in the ACL allows it: access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
I do not understand, why I am always be disconnected.

paul driver · ‎09-11-2020

Hello
Can you confirm that what you are trying to accomplish here, Is host 10.1.1.1 is the rtr to authenticate users from 10.0.0.0/24 by a telnet session to host 10.1.1.1 then after that those 10.0.0.0/16 users are then able to communicate to users in 172.16.0.0/24 network?
If so then the termination you experience is expected as host 10.1.1.1 has authenticated the telnet session as such you should then be able to reach 172.16.0.0/16 users, However what i would suggest is to append an ace entry in the acl so to allow the return traffic from 17.16.0.0/16 network :

access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 100 permit tcp any any established
access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎09-11-2020

Hello

Just realised that you are asking to allow local access to rtr 10.1.1.1 when using a DACL

If so then you need to append yet again the extended access-list to allow this to happen and use a different local access credential (not really necessary but i personally would do so.

username local privilege 15 secret fred
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
permit tcp any host 10.1.23.2 eq 3050
access-list 100 permit tcp any any established
access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

line vty 5
rotary 50
login local

Then from a host
telnet 10.1.1.1 3050

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MihalyBotlik9094 · ‎09-14-2020

Hi Paul,

I installed the extra lines, but does not work.

why the IP 10.1.23.2? The IP from the Router is the 10.0.0.1

error message on client:

Client#telnet 10.0.0.1 3050
Trying 10.0.0.1, 3050 ...
% Destination unreachable; gateway or host down

or:

Username:
[Connection to 10.0.0.1 closed by foreign host]

Many thanks

Mihaly

paul driver · ‎09-14-2020

Hello

That was a typo on my part, it should read 10.0.0.1 the ip of the rtr.

access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
permit tcp any host 10.0.0.1 eq 3050
access-list 100 permit tcp any any established
access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

Ammend the acl to look like the above and also add the rotary on the vty line line and test again

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MihalyBotlik9094 · ‎09-16-2020

Hello,

thanks again, I will try it later, currently my virl does not work properly.

kind regards

Mihaly

MihalyBotlik9094 · ‎09-18-2020

Hello Paul,

I could try now, I followed your instruction, it still does not work:

Username: usr
Password:
[Connection to 10.0.0.1 closed by foreign host]

after your config, the ping doesnt work either:

Client#ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
UUUUU

kind regards

Mihaly

paul driver · ‎09-18-2020

Hello

Can you post the following:
show access-lists

sh run | in vty

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MihalyBotlik9094 · ‎09-29-2020

Hello,

sorry for the late answer:

current on the router:
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 100 permit tcp any host 10.0.0.1 eq 3050
access-list 100 permit tcp any any established
access-list 100 dynamic Testlist timeout 5 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

line vty 5
rotary 50
login local
transport input telnet
so telnet works (Client#telnet 10.0.0.1 3050)
but ping in direction 172.16.0.2 does not work

Router#sh access-lists
Extended IP access list 100
10 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet (72 matches)
20 Dynamic MYLIST permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
30 permit tcp any host 10.0.0.1 eq 3050 (151 matches)
40 permit tcp any any established
without line vty 5 does not work the telnet connection

if it is deleted:
access-list 100 permit tcp any host 10.0.0.1 eq 3050
ping an 172.16.0.2 works, but telnet not

best regards

Mihaly