Solved: access-class 1 out

sarahr202 · ‎04-16-2011

hi every body

I hope you guys are having a good weekend.

Here is my scenario:

My understanding of the command " access-class 1 out" is it is used to control outgoing telnet connection to destination specified in access list 1 throuh a router on which it is configured.

Please correct me if i am wrong.

In my example, my goal is to restrict telnet access into host1 with a stipulation we must use " access-class " command on R2.

R1 s0--------200.200.200.0/24------------s0 R2 f0----199.199.199.0/24---host1

h1

f0 199.199.199.3

R1:

s0 200.200.200.1

R2

s0 200.200.200.2

f0 199.199.199.2

access-list 1 permit 199.199.199.5 ( just a random ip address, the intention is " implicit deny '

at the end will deny telnet packets going to 199.199.199.3)

line vty 0 4

access-class 1 out

I performed the above scenario with gns3, surprisingly, i was able to telnet into h1 though all telnet packets should have been dropped at R2.

I realy appreciate your help.

thanks and enjoy your weekend.

garapoglou · ‎04-16-2011

Hi,

The ACL on your example won't work the way you describe it. You can still telnet from R1 to H1 because this has nothing to do with R2's VTY lines.

R2 VTY lines are used to connect to R2.

The standard ACL in your example won't work so you need an extended one to check the implicit deny feature.

Here goes:

access-list 101 permit tcp any host 199.199.199.5

Then go to interface S0 and add a new ip access-group:

ip access-group 101 out

Try it and you'll see it works.

Best regards,

Giorgos

View solution in original post

garapoglou · ‎04-16-2011

Well, access-class restricts incoming or outgoing connections between a Cisco device VTY line and the IP addresses in the ACL.

Regards,

Giorgos

View solution in original post

Kasiraman S · ‎04-18-2011

Hi Sarah,

Let me try my level best.

Access-Class command is used to restrict the VTY access into the RTR/Switch through access-class X [in|out]. If you apply this access-class in R2 that means you are trying to restrict the VTY access to RTR R2 not the traffic passing through the R2 or not the telnet traffic initiated from R2.

Your objective is to deny telnet traffic from R1 to Host. That means Source IP as R1 IP and destination as host IP and destined to port 23. We cannot achieve this restriction through access-class, because as I already mentioned that access-class is to restric VTY access into the RTR/Switch not for the traffic passes through the Router.

So you have to apply the acl in the RTR R2's input or output interface so that it block the telnet traffic to the host.

For example:

R1[Fa0] <------->[Fa0]R2[F1]------> Host

You can apply like this.

ip access-list extended ACL

10 deny tcp telnet

20 permit any any

R2(config)# inter fa 0

ip access-group ACL in

or

R2(config)# inter fa 0

ip access-group ACL out

Let me know if you have any question.

Thanks,

Kasi

View solution in original post

garapoglou · ‎04-18-2011

You are welcome!

ACL 1 does not deny telnet connections to H1 because it's been set on R2.

Since you need to deny telnet connections from R1 to H2 you can either create the same ACL with the one on your example on R1, or use the extended ACL I posted on R2.

Access-class is used on VTY lines to deny or permit access from or to the same device's VTY lines. You need to deny telnet access to another device. It won't work that way.

Regards,

Giorgos

View solution in original post

Richard Burts · ‎04-18-2011

The rule that an access list will not affect traffic generated by the router is true when the access list is applied by access-group and not true when applied by access-class.

The use of access-class is to restrict telnet originated by the router.

If you want R2 to block telnet by R1 then you must use access-group and not access-class.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

View solution in original post

sarahr202 · ‎04-16-2011

Edit:forgot to mention, i telnetted from R1 to h1,

garapoglou · ‎04-16-2011

Hi,

The ACL on your example won't work the way you describe it. You can still telnet from R1 to H1 because this has nothing to do with R2's VTY lines.

R2 VTY lines are used to connect to R2.

The standard ACL in your example won't work so you need an extended one to check the implicit deny feature.

Here goes:

access-list 101 permit tcp any host 199.199.199.5

Then go to interface S0 and add a new ip access-group:

ip access-group 101 out

Try it and you'll see it works.

Best regards,

Giorgos

sarahr202 · ‎04-16-2011

thanks for your reply.

My question is what is the purpose of " access-class ( number or name) out " command ?( keeping in mind, access list has no affect on locally generated packets),

thanks.

garapoglou · ‎04-16-2011

Well, access-class restricts incoming or outgoing connections between a Cisco device VTY line and the IP addresses in the ACL.

Regards,

Giorgos

sarahr202 · ‎04-18-2011

thanks for your reply.

As you said s-class restrict incoming or outgoing connection over vty lines.

My goal is to see if outgoing telnet connections can be restricted by using this command.

Let revisit my example:

R1---------------R2-----------------host

R1 199.199.199.1/24

R2 s0 199.199.199.2/24

R2f0 200.200.200.2/24

host 200.200.200.3/24

The objective is to deny telnet connection from R1 to host by using access- class command on R2. ( That is our contraint i.e only access-class command on R2 must be used )

I configured my R2 as follows:

line vty

access-class 1 out

access -list 1 deny host 200.200.200.3

When i performed this lab, R2 will not block telnet connection going through it from R1 to host.

The big question is why? Why does access-class command fail to block telnet connection ?

thanks and have a nice day.

Kasiraman S · ‎04-18-2011

Hi Sarah,

Let me try my level best.

Access-Class command is used to restrict the VTY access into the RTR/Switch through access-class X [in|out]. If you apply this access-class in R2 that means you are trying to restrict the VTY access to RTR R2 not the traffic passing through the R2 or not the telnet traffic initiated from R2.

Your objective is to deny telnet traffic from R1 to Host. That means Source IP as R1 IP and destination as host IP and destined to port 23. We cannot achieve this restriction through access-class, because as I already mentioned that access-class is to restric VTY access into the RTR/Switch not for the traffic passes through the Router.

So you have to apply the acl in the RTR R2's input or output interface so that it block the telnet traffic to the host.

For example:

R1[Fa0] <------->[Fa0]R2[F1]------> Host

You can apply like this.

ip access-list extended ACL

10 deny tcp telnet

20 permit any any

R2(config)# inter fa 0

ip access-group ACL in

or

R2(config)# inter fa 0

ip access-group ACL out

Let me know if you have any question.

Thanks,

Kasi

garapoglou · ‎04-18-2011

You are welcome!

ACL 1 does not deny telnet connections to H1 because it's been set on R2.

Since you need to deny telnet connections from R1 to H2 you can either create the same ACL with the one on your example on R1, or use the extended ACL I posted on R2.

Access-class is used on VTY lines to deny or permit access from or to the same device's VTY lines. You need to deny telnet access to another device. It won't work that way.

Regards,

Giorgos

sarahr202 · ‎04-19-2011

thanks Giorgos

garapoglou · ‎04-21-2011

You are welcome!

Thanks for rating!

Giorgos

Richard Burts · ‎04-18-2011

The rule that an access list will not affect traffic generated by the router is true when the access list is applied by access-group and not true when applied by access-class.

The use of access-class is to restrict telnet originated by the router.

If you want R2 to block telnet by R1 then you must use access-group and not access-class.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

sarahr202 · ‎04-19-2011

thanks Richard.