Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List Help

Status
Not open for further replies.
rainman

rainman

ISP
Mar 22, 2001
186
US
I need some assistance in creating an access list that will allow only port 23 in Serial0 to a static LAN IP of 192.168.0.10. All other ports on that IP should be blocked. Also, I do have a NATPOOL working on the router however I did not include that in the configuration as I figured it wouldn't be necessary to create my access-list. The NATPOOL will block incoming connections because they will drop at the public WAN IP of the router. Below is an example of my router's configuration:


version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CISCO1720
!
enable secret [enablepassword]
!
memory-size iomem 25
ip subnet-zero
ip name-server 199.224.86.20
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool DHCPPOOL
network 192.168.1.0 255.255.255.0
domain-name epix.net
dns-server 199.224.86.15 199.224.86.16
default-router 192.168.1.1
!
!
!
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
!
interface Serial0
description 320K Fractional T1 to ISP
ip address 10.0.0.2 255.255.255.252
ip nat outside
no fair-queue
service-module t1 timeslots 1-5
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip http server
!
line con 0
password [consolepassword]
login
line aux 0
line vty 0 4
password [telnet password]
login
!
end



Thanks,

Rich
 
Sort by date Sort by votes
access-list 101 permit tcp any 192.168.0.10 eq 23
access-list 101 deny ip any 192.168.0.10

This access-list will permit all telnet to 192.168.0.10, but deny ALL other traffic.

Then apply this access-list to the serial interface that you want to permit telnet on

router(conf-int)# access-group 101 in

Has this helped

Daniel,
 
Upvote 0 Downvote
Would be even better to use
access-list 101 permit tcp any 192.168.0.10 eq 23 log
access-list 101 deny ip any 192.168.0.10 log

Then you can check to see how many packets have been processed by the various rules by performing a show access-list command. Great for troubleshooting & crude accounting.

peace-out yo,
Jeff
 
Upvote 0 Downvote
Thank you very much, everything worked out great :)


Rich
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
326
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
486
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
168
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
336
DigiByte34
DigiByte34
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
138
dmourghen
dmourghen

Part and Inventory Search

Sponsor

Back
Top