Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2108
Views
0
Helpful
5
Replies

Using ACL to block access

Mmiselo
Level 1
Level 1

‎04-22-2015 06:55 PM - edited ‎03-07-2019 11:41 PM

Good day,

I have access-lists on my cisco router 2900 where some are attached to the crpypto maps for IPSec tunnels and one linked to the access-map o the line VTY.

So now I need to allow access from two specific IP's to a specific IP and I want to block anything else. Below are the rules that I configured:

ip access-list extended VM-SRV-MANAGEMENT
permit ip host 10.100.1.3 host 196.80.62.100
 permit ip host 10.100.0.3 host 196.80.62.100
 deny ip any host 196.80.62.100

The rules that I have added don't seem to be working as the 196.80.62.100 IP is still accessible from other source IP's other than the ones specified.

May you please advise if this is achievable and what rules must I add to add the restrictions.

 

Regards

Nelson

 

Labels:
0 Helpful
5 Replies 5

chlupmichal
Level 1
Level 1

‎04-24-2015 01:19 PM

Hello Nelson,

The ACL itself seems to be OK. Could you also provide output from configuration which bonds the ACL to the VTY? (I assume this ACL is supposed to limit remote access to the 2900 router, so remote access is possible only from IPs 10.100.1.3 & 10.100.0.3, am I right?).

Regardds

Michal

0 Helpful

adammcleish
Level 1
Level 1
In response to chlupmichal

‎04-25-2015 11:00 AM

Edit - Didn't mean to reply to just your post. Sorry.

 

0 Helpful

Mmiselo
Level 1
Level 1
In response to adammcleish

‎05-18-2015 02:51 AM

Good day,

 

I have applied the ACL to the interface for this to work. Thanks a lot for your assistance!

0 Helpful

adammcleish
Level 1
Level 1

‎04-25-2015 11:00 AM

Just to double check, but have you applied this to the VTY lines?

access-class VM-SRV-MANAGEMENT in

 
0 Helpful

Ramprasath Sadasivam
Level 1
Level 1

‎04-25-2015 11:46 AM

Hi,

The ACL Rules seems ok, however you need to verify the below.

1. Direction of the ACL applied on the VTY Interface, it must be "IN"

2. If you have any NAT configuration needs to check with the IP you allowed

3. If you are using VRF and must be explicitly mentioned as " access-class XXX in vrf-also" otherwise acl will not work

4. access-class must be applied to all vty lines, most of cases it has been assigned to only "0 - 4"lines must apply to all applicable line and must include exec-timeout under vty otherwise vty session will not be closed and continue to use until the last available vty lines.

Regards

Ram

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card