HELP!!! I've been chasing this problem on the Cisco ESIM disk for 2 days... I need to create an acl for activity 8 that would deny Telnet from a subnet but permit Ping. I seem to be able to prevent the pings, but Telnet from this router is never denied... Would this work?

e0 goes to the subnet 221.71.12.1
s1 goes out to other routers 195.121.23.1


access 10 deny tcp 221.71.12.1 0.0.0.255 eq telnet

router#(config)int e0
router#(config int)ip access-group 10 in

access list 9 permit ip any any eq echo

router#(config)int s1
router#(config int)ip access-group 9

What am I missing? Thanks!

Last edited by rjingra on 01-29-03 at 05:21 PM

Report this post to a moderator

You missed:

access-list 9 deny any any

That's the line that's implied at the end of the access list. Try the following access list.

access-list 100 deny tcp 221.71.12.0 0.0.0.255 any eq telnet

access-list 100 permit icmp any any

It needs to be an extended access list to specify both source and destination and protocol.

__________________
Save the animals. Eat a vegetarian.

Report this post to a moderator

well, i don't have a clear picture of the network in question, but this guidelines may be of help..

-you will have to use extended access-list(100-199) to be able to deny certain services(telnet) and allow others.

-from your explanation, i think the source will be network 221.71.12.0,which you deny them to telnet into what destination??(...)

-place the list(extended) close to the source as possible.

-you should have at least one permit statement, or you might as well shut the interface down(intrinsic deny).

now with that in mind, it should look close to this:-

access-list 110 deny tcp 221.71.12.0 0.0.0.255 [destination, mask] eq telnet(23)
access-list 110 ip permit any any

then you apply this at the interface-level;

router(config-if)# ip access-group 110 out

hope that helps!!!!!

Report this post to a moderator

Thanks guys for all of your help. What I'm working on is the Cisco Press CCNA Router & Switch eSIM disk, Scenario 1/Activity 8 where you have this network set up and can ping & telnet between the 5 routers and 10 hosts that are attached.

Router A
e0 = 221.71.1.1
Hosts 221.71.1.2
221.71.1.3
e1 = 221.71.28.1
Hosts 221.72.28.2
221.72.28.3
s0 = 221.71.6.1

Router b
s1 = 221.71.6.2
e0 = 221.71.12.1
Hosts 221.71.12.2
221.71.12.3

This pretty much illustrates the setup
and the question was asking to set up an access-list that would prevent telnet from the 221.71.12.1 subnet but allow ping. It was the software that wouldn't accept the standard protocol commands by only giving me the option of ip, tcp, & udp, so each time i would type icmp permit... it would error out.

I ended up using the following syntax to get it to work.. (with the assistance of both of you guys)...

access-list 101 deny tcp 221.71.12.1 0.0.0.255 any eq telnet
access-list 101 permit ip any any
int e0
ip access-group 101 in

and after nearly 3 days it finally worked! Thanks a million guys!

Report this post to a moderator