|
|
| smokeyuk007 2004-10-25, 8:45 am |
| am practising access lists
and am haveing no joy
trying to prevent a pc 192.168.1.101 telneting to a router 192.168.1.200
using extended access list 110
deny any host 192.168.1.101 eq 23
and it can still connect
any 1 any ideas where i am going wrong cheers for any help | |
| Mat P 2004-10-25, 11:30 am |
| Have a look at your access-list and the following doc.
http://makeashorterlink.com/?V2B544C99
The key is the location of source and destination within the command, and using the information given to you in the question - get used to using the command reference. | |
| na_venkatesh2 2004-10-30, 12:20 am |
| [to a router 192.168.1.200
using extended access list 110
deny any host 192.168.1.101 eq 23
and it can still connect
any 1 any ideas where i am going wrong cheers for any help [/B][/QUOTE]
* check the syntax
* apply to ethernet port router(config-if)access-group in
* (config)#access-list 101 tcp deny any host 192.168.1.101 eq 23
this might solve ur problem | |
| smrkdown 2004-10-30, 12:36 am |
| Take Mat's advice.
The extended ACL will use the syntax
access-list list_number permit/deny source destination other_options
If you're wanting to prevent connections from the source 192.168.1.101 (the PC) from accessing the destination 192.168.1.200 (the router) via telnet, you would use
access-list 101 deny tcp host 192.168.1.101 host 192.168.1.200 eq telnet
or
access-list 101 deny tcp 192.168.1.101 0.0.0.0. 192.168.1.200 0.0.0.0. eq 23
or any variation of the two.
You don't want to specify "any" as the source in the ACL unless your intention is to deny telnet traffic from all hosts rather than from just that specific source (the pc).
You'd then apply the access list to the interfaces for inbound traffic.
It'd be better if you'd just create a standard access-list and apply it directly to the VTY lines though. Good luck with your studies.
na_venkatesh2, like the origional poster, you have your source as any and the destination as the PC. | |
| na_venkatesh2 2004-10-30, 2:09 am |
| 
smark , ur access-list requires a small modification .
when host is represented, the wild card will be 0.0.0.0
access-list 101 deny 192.168.1.101 255.255.255.255 192.168.1.200 255.255.255.255 eq 23
access-list 101 deny 192.168.1.101 0.0.0.0 192.168.1.200 0.0.0.0 eq 23
Ful configuration
router#config t
router (Config)# access-list 101 deny 192.168.1.101 0.0.0.0 192.168.1.200 0.0.0.0 eq 23
router(config)# interface fa0/1
router(config-if)#ip access-group 101 in
if u want to apply for vty line
router(config)#line vty 0 4
router(config-line)#access-class 101 in
good luck | |
| smrkdown 2004-10-30, 9:26 am |
| My mistake. | |
| smokeyuk007 2004-10-30, 11:19 am |
| cheers for all the help | |
| jostein 2004-10-31, 1:44 pm |
| Better put in "deny TCP etc". etc if you want to pass ccna.....
r | |
| smrkdown 2004-10-31, 3:12 pm |
| You'll also want to put at least one permit statement at the end of the list such as "access-list 101 permit ip any any" | |
| jostein 2004-10-31, 3:16 pm |
| So right, unless you want to block all traffic 
r | |
|
| quote:
Originally posted by jostein
Better put in "deny TCP etc". etc if you want to pass ccna.....
Why? From what I see it's not needed? | |
| jostein 2004-11-01, 6:34 am |
| I'm 100% sure cisco will not agree with you, and that was my only point....
r |
|
|
|