Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL Nightmare

Status
Not open for further replies.
Khan2Tin

Khan2Tin

Technical User
Jun 7, 2002
16
MP
Help! What is wrong with this ACL? I basically want to block all telnet access to host 192.168.0.1 except for 192.168.10.2

access-list 102 permit tcp any any established
access-list 102 deny tcp any host 192.168.0.1 eq telnet log
access-list 102 permit tcp host 192.168.10.2 host 192.168.0.1 eq telnet
access-list 102 permit ip any any

!
interface FastEthernet0/0
ip address 192.168.0.3 255.255.255.0
ip access-group 102 out

Thanks!
 
Sort by date Sort by votes
Your deny statement is processed and applied before you're allowing telnet acces from host 192.168.10.2. Put your permit statements before your deny statements.
 
Upvote 0 Downvote
Tried this, didn't work :( I can still telnet host 192.168.0.1 from any other host.

access-list 102 permit tcp any any established
access-list 102 permit tcp host 192.168.10.2 host 192.168.0.1 eq telnet
access-list 102 deny tcp any host 192.168.0.1 eq telnet log
access-list 102 permit ip any any

 
Upvote 0 Downvote
I don't think router requires a reboot after you applied ACLs.
 
Upvote 0 Downvote
In deed no reboots are needed when changing or aplying ACL's

try denying host 0.1 as 1st statement.

access-list 102 deny tcp any host 192.168.0.1 eq telnet log
access-list 102 permit tcp any any established
access-list 102 permit tcp host 192.168.10.2 host 192.168.0.1 eq telnet
access-list 102 permit ip any any

hope it helps,
 
Upvote 0 Downvote
Hi rcasta, thanks. That didn't work :(

damn ACL, lol
 
Upvote 0 Downvote
in 99% of the cases u don't have to reboot, however, I've had a case where a Cisco PIX firewall would not take an ACL until it was rebooted (or ACL had to be re-applied almost 400 times)
 
Upvote 0 Downvote
Hey people did everyone forget the first rule of ACL Each line is processed and if a match is made then the following lines are not processed.
The first line is basically allowing all tcp traffic no other line will be checked. And remember the implicit deny all at the end.

access-list 102 permit tcp host 192.168.10.2 host 192.168.0.1 eq telnet
access-list 102 deny any host 192.168.0.1 eq telnet
access-list 102 permit tcp any any established
access-list 102 deny any any

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
93
burtsbees
burtsbees
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
90
acabezas2014
acabezas2014
hunt3rxhunt3r
  • Locked
  • Question
ACL to allow address range access to internal address range behind dynamic nat ip
Replies
0
Views
63
hunt3rxhunt3r
hunt3rxhunt3r
xdxml12
  • Locked
  • Question
ACL
Replies
3
Views
61
xdxml12
xdxml12
Almin
  • Locked
  • Question
ACL Question 1
Replies
2
Views
60
Almin
Almin

Part and Inventory Search

Sponsor

Back
Top