| Author |
Another ACL question
|
|
| Udpdoff 2004-06-25, 8:10 am |
| Hypothetically speaking if you have Routers A, B, and C @----@----@ all connected via serial interfaces and you want to block all telnet to the hosts on router C using an ACL.
How would you configure the ACL and what port would you apply it to In or Out?
Thanks
Udpdoff | |
| ZacDogg 2004-06-25, 10:51 am |
| Before this question can be answered we need to know if you do indeed mean that you want to block telnet to hosts that are connected to router C, or do you mean that you want to block telnet access to the router itself.
Zac | |
| Udpdoff 2004-06-25, 10:55 am |
| Sorry blocking all telnet to Router C | |
| ZacDogg 2004-06-25, 11:00 am |
| You can block telnet in a number of different ways. You can apply and ACL to the interface connecting to router B, apply an access-class to the VTY lines, or the easiest, don't configure a telnet password, etc...
If you wanted to use an ACL on the interface you would apply it inbound. Here's the config:
ip access-list extended NO_TELNET
deny tcp any any eq 23
permit ip any any
Does that make sense?
Zac | |
| Udpdoff 2004-06-25, 11:07 am |
| Zac, yes makes sense to me however the Test SIM would not accept an Extended ACL and would only allow three lines in the ACL.
Are there any other options?
Udpdoff | |
| ZacDogg 2004-06-25, 11:09 am |
| Try not using a named ACL:
access-list 101 deny tcp any any eq 23
access-list 101 permit any any
Any other options wouldn't be relevent to the CCNA.
Zac | |
| USHazard 2004-06-25, 10:43 pm |
| You cannot filter an upper layer protocol without using an extended access list. Are you sure you read the question properly? | |
| repentantvoter 2004-06-26, 2:26 pm |
| quote:
Originally posted by Udpdoff
would not accept an Extended ACL
The proper way to acomplish this without extended ACLs is to follow one of Mr. ZacDogg's suggestions, which is create a standard ACL and apply it on all VTYs. That would deny telnet access to the router.
HTH | |
| ZacDogg 2004-06-26, 3:38 pm |
| quote:
You cannot filter an upper layer protocol without using an extended access list. Are you sure you read the question properly?
I thought that maybe he/she was getting his terminology mixed up and the sim he/she was using might not of been taking named ACL's.
This is one of the few complaints I have about Cisco...their tests. This is a perfect example. There are several ways to effectively accomplish the task given, yet they are looking for only one.
Zac | |
| repentantvoter 2004-06-26, 4:05 pm |
| quote:
Originally posted by ZacDogg
...he/she
He. He has an "M" by his username.  | |
| USHazard 2004-06-27, 9:29 am |
| quote:
Originally posted by repentantvoter
The proper way to acomplish this without extended ACLs is to follow one of Mr. ZacDogg's suggestions, which is create a standard ACL and apply it on all VTYs. That would deny telnet access to the router.
HTH
Trouble is, the question specified networks connected to the router, not the vty lines. | |
| Udpdoff 2004-06-30, 2:30 pm |
| Ok guys I figured it out. Blocking all external network telnet to router C.
while allowing all other traffic to pass. Using no more than three lines in the ACL
#access-list 5 permit 207.112.65.0 0.0.0255
config t
#line vty 04
# access-class 5 in
207.112.65.0 would be the network connected via the e0 interface of router C. There would be an implicit deny statement at the end of the ACL so all networks via telnet comeing in s0 (router c) would be blocked. Correct? |
|
|
|