|
Home > Archive > CCNA > January 2003 > Access-List help
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| rjingra 2003-01-29, 12:16 pm |
| HELP!!! I've been chasing this problem on the Cisco ESIM disk for 2 days... I need to create an acl for activity 8 that would deny Telnet from a subnet but permit Ping. I seem to be able to prevent the pings, but Telnet from this router is never denied... Would this work?
e0 goes to the subnet 221.71.12.1
s1 goes out to other routers 195.121.23.1
access 10 deny tcp 221.71.12.1 0.0.0.255 eq telnet
router#(config)int e0
router#(config int)ip access-group 10 in
access list 9 permit ip any any eq echo
router#(config)int s1
router#(config int)ip access-group 9
What am I missing? Thanks! | |
| edmonds_robert 2003-01-29, 12:34 pm |
| You missed:
access-list 9 deny any any
That's the line that's implied at the end of the access list. Try the following access list.
access-list 100 deny tcp 221.71.12.0 0.0.0.255 any eq telnet
access-list 100 permit icmp any any
It needs to be an extended access list to specify both source and destination and protocol. | |
| babu75 2003-01-29, 1:14 pm |
| well, i don't have a clear picture of the network in question, but this guidelines may be of help..
-you will have to use extended access-list(100-199) to be able to deny certain services(telnet) and allow others.
-from your explanation, i think the source will be network 221.71.12.0,which you deny them to telnet into what destination??(...)
-place the list(extended) close to the source as possible.
-you should have at least one permit statement, or you might as well shut the interface down(intrinsic deny).
now with that in mind, it should look close to this:-
access-list 110 deny tcp 221.71.12.0 0.0.0.255 [destination, mask] eq telnet(23)
access-list 110 ip permit any any
then you apply this at the interface-level;
router(config-if)# ip access-group 110 out
hope that helps!!!!! | |
| rjingra 2003-01-31, 2:03 pm |
| Thanks guys for all of your help. What I'm working on is the Cisco Press CCNA Router & Switch eSIM disk, Scenario 1/Activity 8 where you have this network set up and can ping & telnet between the 5 routers and 10 hosts that are attached.
Router A
e0 = 221.71.1.1
Hosts 221.71.1.2
221.71.1.3
e1 = 221.71.28.1
Hosts 221.72.28.2
221.72.28.3
s0 = 221.71.6.1
Router b
s1 = 221.71.6.2
e0 = 221.71.12.1
Hosts 221.71.12.2
221.71.12.3
This pretty much illustrates the setup
and the question was asking to set up an access-list that would prevent telnet from the 221.71.12.1 subnet but allow ping. It was the software that wouldn't accept the standard protocol commands by only giving me the option of ip, tcp, & udp, so each time i would type icmp permit... it would error out.
I ended up using the following syntax to get it to work.. (with the assistance of both of you guys)...
access-list 101 deny tcp 221.71.12.1 0.0.0.255 any eq telnet
access-list 101 permit ip any any
int e0
ip access-group 101 in
and after nearly 3 days it finally worked! Thanks a million guys!  |
|
|
|
|