If you're using nat, you'll need to deny the outside address of R1, so your acl will look like:

1. access-list 1 deny host 192.168.1.1

2. access-list 1 permit any

HTH,

John

Thanx Blakley.

I am agree with u but if s0/0/0 (R1) have a dynamic IP then what will we do???

If the address changes, your acl won't match up and it's going to allow the traffic like you're seeing. The only other thing that you could do is strictly permit the addresses that you want, or if you know the block that the site could possibly get then block it by the whole block and not just your one host.

Let's say that they have a block of 128 addresses. You could do something like:

access-list 1 deny 5.5.5.0 0.0.0.127

access-list 1 permit any

The above would deny addresses 5.5.5.1 - 5.5.5.126. If you know that your router will fall in this range, then you should be ok.

Hi,

R1 is source NAT-ing all the packets from the host (10.0.0.2 ) , but the TCP/23 (telnet). This will mean that the telnet packets will get to R2 with the original source IP and you can apply the access-list with deny host IP.

====== R1

int f1/0

ip nat inside

int s0/0

ip nat outside

ip access-l ex PAT

deny tcp host 10.0.0.2 any eq 23

permit ip host 10.0.0.2 any

ip nat inside source list PAT fa1/0 over

======= R2

ip access-l ex VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

Dan

Dan,

That's a good way of doing it

John

Hey Dan,

Please share R1 and R2 Configuration. U said in R2 that deny host 10.0.0.2. Witch services should I deny there??

I've posted the R2 configuration in my previous post :

ip access-l ex VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

I run this configuration on my router but deny host 10.0.0.2 command giving error.

Yes the issue is that I created an extended access-list

no ip access-l ex VTY

ip access-l stan VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

Dan

In R1's configuration You used a command ip nat inside source list PAT fa1/0 over . I am confused why you used fa1/0 in this command because this interface is in local inside area according to picture.

Hi ,

You are right, the interface should be the outside interface in this case s0/0. I wrote the config fast

Dan

Its Ok Dan. I have an another doubt, I think When we apply deny tcp host 10.0.0.2 any eq 23 and  permit ip host 10.0.0.2 any command on R1, This router will not forward telnet packet outside through NAT (Am I Right). Means why we need R2's configuration (as you shown).

No, not quite.

The deny statement is on PAT access-list.

PAT access-list is used to match the traffic that will be source NATed with the R1's outside interface.

This means that the traffic from 10.0.0.2 that has as a destination protocol telnet, will not be source NATed.

This means that this telnet traffic will be only switched from interface F0/1 to S0/0 without any change in the IP Header. This is why you can restrict the access on the R2 vtys based on the 10.0.0.2 address.

I hope I cleared some things.

Dan