12-30-2005 11:34 PM - edited 03-05-2019 11:44 AM
I have a small question. I have 2 networks (1 & 2 ) connected to a router on interface fa0/1 and fa0/2 respectively. I would like to deny telnet access from network 1 to network 2. With the condition that interface fa0/1 is configured access-group out.
Thank you,
Marc Alonzo
12-31-2005 02:26 AM
Hi,
interface Fa0/1
ip address 10.1.1.1 255.255.255.0
ip access-group 100 out
interface Fa0/2
ip address 192.168.2.2 255.255.255.128
access-list 100 deny tcp 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.127 eq telnet
access-list 100 permit ip any any
Hope this helps
Martin
12-31-2005 03:19 AM
Dear Martin,
This configuration would be right if the interface fa0/1 is configured as ip access-group 100 in and not out.
I have tried as you have said but i can still telnet.
Thank you
Marc Alonzo
12-31-2005 03:31 AM
Hi,
strange ... from where to where are you doing the telnet?
Martin
Edit: Oops, yes this is exactly the question.
access-list 100 deny tcp 192.168.2.0 0.0.0.127 eq telnet 10.1.1.0 0.0.0.255
access-list 100 permit ip any any
This will do it.
12-31-2005 04:00 AM
OK great it is working ... So we should just swap the source and destination address !
You have been very halpful
Thanks ...
12-31-2005 04:15 AM
Yes, because in the direction the traffic is checked by the access-list, the source is in 192.168.2.0 and the destination of the packet is in 10.1.1.0.
Happy New Year
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide