ACL Help

[Khan2Tin]

Hi, I am trying to restrict telnet access to one of our host.

Here's the scenario;
-The router is connected via Serial0/0 to our ISP
-host 192.168.0.1 should be allowed to telnet into 10.10.10.2
-host 10.10.10.2 is connected directly to a switch together w/ the router
-I will be using dummy IPs on the router config below

!
interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0

!
interface Serial0/0
ip address 10.0.1.2 255.255.255.252
ip access-group 101 in

!
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit tcp host 192.168.0.1 host 10.10.10.2 eq telnet



Is this correct? Please help, any advice would be appreciated.

 

[ccie9545]

first you are going to have to put the permit statement before the deny statement. actually, i think that should do it...

you could just use the statement:

access-list 101 permit tcp host 192.168.0.1 host 10.10.10.2 eq telnet

There is an implicit deny any any at the end of all access-lists. Therefore, you don't have to put the deny statement, but it won't hurt anything if you do, and might make it easier to clarify what the access-list is doing....let me know if that takes care of it...

You will be blocking all other inbound traffic to anything, if the traffic is coming in the s0/0 interface Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[ccie9545]

i should have mentioned this before, but, if you add this..

access-list 101 permit ip any 10.10.10.0 0.0.0.255 established

This will allow traffic to go into the internal network, as long as the connection was established by a host within the internal network. In essence, it will still allow access out to the internet from internal network. Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[Khan2Tin]

Thank you Erik, you have provided a very useful information. It's nice to learn new things everyday.
Here is what I did and it seems to work ok.

!
interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0
ip access-group 101 out
!
interface Serial0/0
ip address 10.0.1.2 255.255.255.252
!
access-list 101 permit tcp any any established
access-list 101 permit tcp host 192.168.0.1 host 10.10.10.2 eq telnet
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any


I figured I can take out the line
access-list 101 deny tcp any host 10.10.10.2 eq telnet
since you mentioned that there is an implicit deny any any at the end of all access-lists, is this correct?

Thanks for the help.

 

[ccie9545]

You might want to be careful with the last line. Using the access-list 101 permit ip any any will allow ANY, and i mean ANY IP traffic into and out of your network. I am assuming that this is not what you would like to do.......If you give me the exact details on what you would like to do, I can give you the configs that I would use. Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[Khan2Tin]

Hi, thanks!
Here's what I am trying to accomplish.
1- 10.10.10.1 is the address of the core router
3- 10.10.10.2 is a LAN host
2- Allow the remote host 192.168.0.1 to be able to connect to 10.10.10.2 and deny the rest

I figured adding the line "permit ip any any" would disable the "deny ip ip"

access-list 101 permit tcp any any established
access-list 101 permit tcp host 192.168.0.1 host 10.10.10.2 eq telnet
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any

Thx for your help.

 

[ccie9545]

well if that is all that you need then use the following

access-list 101 permit tcp host 192.168.0.1 host 10.10.10.2 eq telnet

int Ethernet0/0
ip access-group 101 out


This will allow only the host 192.168.0.1 to telnet to the host 10.10.10.2, but will not let any other traffic go out of the ethernet 0/0 interface. to allow hosts on the 10.10.10.0 network to access resources i am pretty sure that adding the following hte access-list will work

access-list 101 permit ip any 10.10.10.0 0.0.0.255 established

give that a shot and let me know... Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com