06-06-2022 04:40 AM
Hi Experts,
doing a lab for ACL to block telnet for PC2 (10.0.0.2 ) even and on another side, all systems should use telnet.
I have access-list 100 with the below config.
permit tcp any
permit ip any
deny tcp host 10.0.0.2 any eq telnet
telnet not blocking..
Solved! Go to Solution.
06-06-2022 04:45 AM
Seems ACL statement order is the wrong move the block telnet statement on top and check.
ACL statement follows top to down. first packet match..
Thanks,
Jitendra
06-06-2022 05:00 AM
Can you check the show access list?
As you have changed the statement order.
now check (inside or outside ) on the ACL. change according if you are doing ACL on the outside interface then it should be outside..
Thanks,
Jitendra
06-06-2022 04:45 AM
Seems ACL statement order is the wrong move the block telnet statement on top and check.
ACL statement follows top to down. first packet match..
Thanks,
Jitendra
06-06-2022 04:48 AM
Try this way
ip access-list 100
10 deny tcp host 10.0.0.2/32 any eq telnet
20 permit tcp any
30 permit ip any
06-06-2022 04:52 AM
done this but unfortunately still not blocking telnet.
06-06-2022 04:52 AM
Your access list is wrong. Remember it is alway explicit deny statement in ACL
permit tcp any permit ip any deny tcp host 10.0.0.2 any eq telnet
In order to block the telnet
10 deny tcp host 10.0.0.2 any eq telnet 20 permit tcp any 30 permit ip any
06-06-2022 04:53 AM
not working Sir..
06-06-2022 04:56 AM
you need apply acl on the interface...
like
interface INTERFACE_NAME
no shutdown
ip access-list 100
06-06-2022 05:00 AM
Can you check the show access list?
As you have changed the statement order.
now check (inside or outside ) on the ACL. change according if you are doing ACL on the outside interface then it should be outside..
Thanks,
Jitendra
06-06-2022 05:09 AM
I am applying this ACL outside interface1/1.
I was missing outside there was inside that's why this was not blocking.
ip access-group100 out.
06-06-2022 05:12 AM
Great it work out for you
06-06-2022 05:09 AM
you need to apply this ACL to the interested Interface where you want this to be action.
06-06-2022 04:56 AM
Hi
Where did you apply this ACL and how you did? Can you share the switch config?
Keep in mind that ACL have the syntax of "source"/"destination", if you want to block telnet to PC, it must be on the destination.
Dont forget to apply this ACL, otherwise, you are not blocking anything.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide