04-16-2011 03:16 AM - edited 03-06-2019 04:39 PM
hi every body
I hope you guys are having a good weekend.
Here is my scenario:
My understanding of the command " access-class 1 out" is it is used to control outgoing telnet connection to destination specified in access list 1 throuh a router on which it is configured.
Please correct me if i am wrong.
In my example, my goal is to restrict telnet access into host1 with a stipulation we must use " access-class " command on R2.
R1 s0--------200.200.200.0/24------------s0 R2 f0----199.199.199.0/24---host1
h1
f0 199.199.199.3
R1:
s0 200.200.200.1
R2
s0 200.200.200.2
f0 199.199.199.2
access-list 1 permit 199.199.199.5 ( just a random ip address, the intention is " implicit deny '
at the end will deny telnet packets going to 199.199.199.3)
line vty 0 4
access-class 1 out
I performed the above scenario with gns3, surprisingly, i was able to telnet into h1 though all telnet packets should have been dropped at R2.
I realy appreciate your help.
thanks and enjoy your weekend.
Solved! Go to Solution.
04-16-2011 06:10 AM
Hi,
The ACL on your example won't work the way you describe it. You can still telnet from R1 to H1 because this has nothing to do with R2's VTY lines.
R2 VTY lines are used to connect to R2.
The standard ACL in your example won't work so you need an extended one to check the implicit deny feature.
Here goes:
access-list 101 permit tcp any host 199.199.199.5
Then go to interface S0 and add a new ip access-group:
ip access-group 101 out
Try it and you'll see it works.
Best regards,
Giorgos
04-16-2011 07:11 AM
Well, access-class restricts incoming or outgoing connections between a Cisco device VTY line and the IP addresses in the ACL.
Regards,
Giorgos
04-18-2011 04:21 AM
Hi Sarah,
Let me try my level best.
Access-Class command is used to restrict the VTY access into the RTR/Switch through access-class X [in|out]. If you apply this access-class in R2 that means you are trying to restrict the VTY access to RTR R2 not the traffic passing through the R2 or not the telnet traffic initiated from R2.
Your objective is to deny telnet traffic from R1 to Host. That means Source IP as R1 IP and destination as host IP and destined to port 23. We cannot achieve this restriction through access-class, because as I already mentioned that access-class is to restric VTY access into the RTR/Switch not for the traffic passes through the Router.
So you have to apply the acl in the RTR R2's input or output interface so that it block the telnet traffic to the host.
For example:
R1[Fa0] <------->[Fa0]R2[F1]------> Host
You can apply like this.
ip access-list extended ACL
10 deny tcp
20 permit any any
R2(config)# inter fa 0
ip access-group ACL in
or
R2(config)# inter fa 0
ip access-group ACL out
Let me know if you have any question.
Thanks,
Kasi
04-18-2011 04:32 AM
You are welcome!
ACL 1 does not deny telnet connections to H1 because it's been set on R2.
Since you need to deny telnet connections from R1 to H2 you can either create the same ACL with the one on your example on R1, or use the extended ACL I posted on R2.
Access-class is used on VTY lines to deny or permit access from or to the same device's VTY lines. You need to deny telnet access to another device. It won't work that way.
Regards,
Giorgos
04-18-2011 02:07 PM
The rule that an access list will not affect traffic generated by the router is true when the access list is applied by access-group and not true when applied by access-class.
The use of access-class is to restrict telnet originated by the router.
If you want R2 to block telnet by R1 then you must use access-group and not access-class.
HTH
Rick
Sent from Cisco Technical Support iPhone App
04-16-2011 03:19 AM
Edit:forgot to mention, i telnetted from R1 to h1,
04-16-2011 06:10 AM
Hi,
The ACL on your example won't work the way you describe it. You can still telnet from R1 to H1 because this has nothing to do with R2's VTY lines.
R2 VTY lines are used to connect to R2.
The standard ACL in your example won't work so you need an extended one to check the implicit deny feature.
Here goes:
access-list 101 permit tcp any host 199.199.199.5
Then go to interface S0 and add a new ip access-group:
ip access-group 101 out
Try it and you'll see it works.
Best regards,
Giorgos
04-16-2011 06:52 AM
thanks for your reply.
My question is what is the purpose of " access-class ( number or name) out " command ?( keeping in mind, access list has no affect on locally generated packets),
thanks.
04-16-2011 07:11 AM
Well, access-class restricts incoming or outgoing connections between a Cisco device VTY line and the IP addresses in the ACL.
Regards,
Giorgos
04-18-2011 03:53 AM
thanks for your reply.
As you said s-class restrict incoming or outgoing connection over vty lines.
My goal is to see if outgoing telnet connections can be restricted by using this command.
Let revisit my example:
R1---------------R2-----------------host
R1 199.199.199.1/24
R2 s0 199.199.199.2/24
R2f0 200.200.200.2/24
host 200.200.200.3/24
The objective is to deny telnet connection from R1 to host by using access- class command on R2. ( That is our contraint i.e only access-class command on R2 must be used )
I configured my R2 as follows:
line vty
access-class 1 out
access -list 1 deny host 200.200.200.3
When i performed this lab, R2 will not block telnet connection going through it from R1 to host.
The big question is why? Why does access-class command fail to block telnet connection ?
thanks and have a nice day.
04-18-2011 04:21 AM
Hi Sarah,
Let me try my level best.
Access-Class command is used to restrict the VTY access into the RTR/Switch through access-class X [in|out]. If you apply this access-class in R2 that means you are trying to restrict the VTY access to RTR R2 not the traffic passing through the R2 or not the telnet traffic initiated from R2.
Your objective is to deny telnet traffic from R1 to Host. That means Source IP as R1 IP and destination as host IP and destined to port 23. We cannot achieve this restriction through access-class, because as I already mentioned that access-class is to restric VTY access into the RTR/Switch not for the traffic passes through the Router.
So you have to apply the acl in the RTR R2's input or output interface so that it block the telnet traffic to the host.
For example:
R1[Fa0] <------->[Fa0]R2[F1]------> Host
You can apply like this.
ip access-list extended ACL
10 deny tcp
20 permit any any
R2(config)# inter fa 0
ip access-group ACL in
or
R2(config)# inter fa 0
ip access-group ACL out
Let me know if you have any question.
Thanks,
Kasi
04-18-2011 04:32 AM
You are welcome!
ACL 1 does not deny telnet connections to H1 because it's been set on R2.
Since you need to deny telnet connections from R1 to H2 you can either create the same ACL with the one on your example on R1, or use the extended ACL I posted on R2.
Access-class is used on VTY lines to deny or permit access from or to the same device's VTY lines. You need to deny telnet access to another device. It won't work that way.
Regards,
Giorgos
04-19-2011 01:17 PM
thanks Giorgos
04-21-2011 08:22 AM
You are welcome!
Thanks for rating!
Giorgos
04-18-2011 02:07 PM
The rule that an access list will not affect traffic generated by the router is true when the access list is applied by access-group and not true when applied by access-class.
The use of access-class is to restrict telnet originated by the router.
If you want R2 to block telnet by R1 then you must use access-group and not access-class.
HTH
Rick
Sent from Cisco Technical Support iPhone App
04-19-2011 01:15 PM
thanks Richard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide