Solved: access-class 10 out - not working

krzysztofmaciejewskiit · ‎04-21-2024

At first I thought that blocking outbound traffic from the VTY line was to block outbound sessions from a particular router. However, I recalled that traffic generated from a device is not filtered by the ACLs on that device.

I have read that this configuration:
R5#show access-lists
Standard IP access list 10
10 deny any

R5#show running-config | section line vty
line vty 0 4
access-class 10 out
password telnet
login
transport input telnet
line vty 5 15
access-class 10 out
password telnet
login
transport input telnet
is supposed to block situations like this, R6 does telnet to R5 (this is where the outbound traffic from the VTY line is blocked) and from R5 we do telnet to R1, this shouldn't work, whereas I don't understand why, but it does.
R6#telnet 10.20.20.5
Trying 10.20.20.5 ...Open
User Access Verification
Password:
R5>telnet 10.10.10.1
Trying10.10.10.1 ...Open
User Access Verification
Password:
R1>

Do you have any ideas why this works? Thanks for every attempt to help!
In this video, everything works correctly. I think I did everything the way he did it.
https://www.youtube.com/watch?v=kn1efVxmq-0

liviu.gheorghe · ‎04-21-2024

I see what you mean now and I could only speculate that it's a limitation of the packet tracer.

If you work with real routers, then telneting from R6 to R5, which has the access-class 10 out configured on the vty lines, you will not be able to telnet to R1. The message that you receive is:

R5#telnet 10.10.10.1
Trying 10.10.10.1 ...
% Connections to that host not permitted from this terminal
R5#

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

liviu.gheorghe · ‎04-21-2024

Hello @krzysztofmaciejewskiit ,

To restrict access via telnet or ssh to your router R5, the access-class 10 should be configured in not out.

Regards, LG
*** Please Rate All Helpful Responses ***

krzysztofmaciejewskiit · ‎04-21-2024

I am aware of this, however this is not what I want to achieve. I set up this post to understand the operation of "access-class X out".

MHM Cisco World · ‎04-21-2024

this work if you access into R5 and from there you access to R6
here the ACL VTY OUT will work

MHM

krzysztofmaciejewskiit · ‎04-21-2024

No, it does not work as I wrote, I connect from R6 to R5 via telnet and from R5 to R1 also via telnet (I expect that here my ACL will block me here however this does not happen).
I've provided the topology below, if you want you can check it yourself, thanks for the reply!

liviu.gheorghe · ‎04-21-2024

Your access-class 10 out will work only if you are connected to R5 via telnet or ssh, that is you are using a vty line. Only then the access-class out command will restrict your telnet to R1.

If you are connected via console, like I imagine you are, the access-class out will not work as you seen already.

Regards, LG
*** Please Rate All Helpful Responses ***

krzysztofmaciejewskiit · ‎04-21-2024

I wrote in the post that I connect from R6 to R5 via telnet and from R5 to R1 also via telnet (I expect that here my ACL will block me here however this does not happen). I am sending the CPT file so you can check it yourself if you want and have the time.

liviu.gheorghe · ‎04-21-2024

I see what you mean now and I could only speculate that it's a limitation of the packet tracer.

If you work with real routers, then telneting from R6 to R5, which has the access-class 10 out configured on the vty lines, you will not be able to telnet to R1. The message that you receive is:

R5#telnet 10.10.10.1
Trying 10.10.10.1 ...
% Connections to that host not permitted from this terminal
R5#

Regards, LG
*** Please Rate All Helpful Responses ***

krzysztofmaciejewskiit · ‎04-21-2024

Thanks for the answer!
Will try to test this on physical hardware or in GNS3, maybe it will be better mapped there.