05-12-2008 11:31 AM - edited 03-05-2019 10:54 PM
Im trying to prevent telnet access into my core switch from a guest vlan, and for the most part everything is working well. I have one issue though, and that is that I can telnet to the device from the guest vlan, and I dont want that to happen. Can someone please give me some guidance on what should be in my ACL? See ACL below. It is applied to the guest vlan, and everything except the telnet part works. I do not even see anything hitting the ACL in that part of it. Thanks. Host is 192.168.255.1.
deny tcp any eq telnet host 192.168.255.1 eq telnet
permit 80 192.168.255.0 0.0.0.255 host 10.1.1.1
permit udp 192.168.255.0 0.0.0.255 eq isakmp host 10.1.1.1 eq isakmp
permit tcp 192.168.255.0 0.0.0.255 eq 1723 host 10.1.1.1 eq 1723
permit tcp 192.168.255.0 0.0.0.255 eq 1701 host 10.1.1.1 eq 1701
permit tcp 192.168.255.0 0.0.0.255 eq 443 host 10.1.1.1 eq 443
deny ip any 10.0.0.0 0.255.255.255
deny icmp any host 192.168.255.1
deny tcp any eq ftp-data any eq ftp-data
deny tcp any eq ftp any eq ftp
deny tcp any eq 22 any eq 22
permit ip any any
Solved! Go to Solution.
05-12-2008 11:38 AM
this is wrong:
deny tcp any eq telnet host 192.168.255.1 eq telnet
should be:
deny tcp any host 192.168.255.1 eq telnet
05-12-2008 11:38 AM
this is wrong:
deny tcp any eq telnet host 192.168.255.1 eq telnet
should be:
deny tcp any host 192.168.255.1 eq telnet
05-12-2008 11:47 AM
Mike
Your access list has several entries where the source port and the destination port are the same. As Steven points out this is generally not the case. The only one in your access list where it is correct to have the same source and destination is the one for isakmp. For FTP, ftp-data, ssh, etc it would be source or destination (depending on how the access list is to be applied).
HTH
Rick
05-12-2008 12:18 PM
Thanks all. Will go and try this real quick.
05-12-2008 12:29 PM
Yes, it all worked. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide