The orginal post was done on a 7507 running beta IOS. This is on my 2620:
interface FastEthernet0/0 ip address 172.28.64.28 255.255.255.192 ip access-group 150 in ip directed-broadcast duplex auto speed auto ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any 3w3d: ICMP: dst (172.28.64.28) administratively prohibited unreachable sent to 172.28.56.48 IOS 12.2.(4)T1 Dave Patrick Ramsey wrote: > > what platform and what ios? That's odd... That exact ACL does not work on my 2600's. Now this is going to bug me. 12.2(3) > > >>> MADMAN 02/18/02 03:19PM >>> > Not in my world: > > interface Ethernet4/0/0 > bandwidth 1000 > ip address 172.28.64.11 255.255.255.192 > ip access-group 150 in > no ip directed-broadcast > no ip mroute-cache > ! > access-list 150 deny tcp host 172.28.56.48 any eq telnet log > access-list 150 permit ip any any > > *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp > 172.28.56.48(57010) - > > 172.28.64.11(23), 1 packet > > Thank you!! > > Dave > > "Roberts, Larry" wrote: > > > > The only way that the access-list applied to the inbound interface ( > non-vty > > ) blocked your telnet is if you were trying to telnet > > To an address that was not the directly connected address ( loopback or far > > side serial/ethernet ) > > > > If you were to telnet directly to the interface that the access-list was > > applied to you WOULD get in. Only an access-class applied > > To the VTY ports will stop that. > > > > Thanks > > > > Larry > > > > -----Original Message----- > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > Sent: Monday, February 18, 2002 1:05 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Dening telnet access [7:35628] > > > > I know it does. I have, even fairly recently, locked myself out of a > router > > via an inbound access list applied to an interface,DOH:( Try again and if > > it doesn't work I would like to see the config. > > > > Are you sure the interface on which you applied the access list is the > > interface you were telneting to/thru?? > > > > Dave > > > > Patrick Ramsey wrote: > > > > > > really? I have had no luck using inbound acl's to control telnet to > > > the > > router...I always have to use acc's on the vty's > > > > > > Is there a trick to this? > > > > > > -Patrick > > > > > > >>> MADMAN 02/18/02 12:16PM >>> > > > Actually telnet packets are processed by inbound access-list. Now if > > > your refering to outbound access-lists then you would be correct. > > > > > > Dave > > > > > > "Hire, Ejay" wrote: > > > > > > > > Because telnet packets destined for the router are not normally > > > > processed > > > by > > > > access-lists. (i don't understand why not, but hey...) > > > > > > > > instead do this > > > > > > > > access-list y deny xx.xx.xx.xx xx.xx.xx.xx > > > > > > > > line vty 0 n (n = the results of a ?, usually 4) access-class y > > > > > > > > -----Original Message----- > > > > From: McHugh Randy [mailto:[EMAIL PROTECTED]] > > > > Sent: Saturday, February 16, 2002 4:49 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Dening telnet access [7:35628] > > > > > > > > Access list problem: > > > > > > > > Why does this extended access list not work to deny telnet access > > > > applied > > > to > > > > the internet interface on a 2514? > > > > > > > > Extended IP access list 199 > > > > deny tcp any any eq telnet > > > > > > > > interface Ethernet0 > > > > > > > > ip access-group 199 in > > > > > > > > I have alot more statments than this and of course the statement > > > > access-list 199 permit ip any any > > > > > > > > to take care of the implicit deny all , but I can still access the > > > > router from the internet through telnet. Anyone have any ideas what > > > > else might be needed to prevent of selectivly allow telnet access to > > > > my router. Thanks, > > > > Randy > > > -- > > > David Madland > > > Sr. Network Engineer > > > CCIE# 2016 > > > Qwest Communications Int. Inc. > > > [EMAIL PROTECTED] > > > 612-664-3367 > > > > > > "Emotion should reflect reason not guide it" > > > >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files > > transmitted with it may contain confidential and /or proprietary > information > > in the possession of WellStar Health System, Inc. ("WellStar") and is > > intended only for the individual or entity to whom addressed. This email > > may contain information that is held to be privileged, confidential and > > exempt from disclosure under applicable law. If the reader of this message > > is not the intended recipient, you are hereby notified that any > unauthorized > > access, dissemination, distribution or copying of any information from this > > email is strictly prohibited, and may subject you to criminal and/or civil > > liability. If you have received this email in error, please notify the > > sender by reply email and then delete this email and its attachments from > > your computer. Thank you. > > > > > > ================================================================ > > > > -- > > David Madland > > Sr. Network Engineer > > CCIE# 2016 > > Qwest Communications Int. Inc. > > [EMAIL PROTECTED] > > 612-664-3367 > > > > "Emotion should reflect reason not guide it" > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" > >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. > > ================================================================ -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35788&t=35628 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
