Access-classes are exclusively for denying access to the router so yes that is the correct way ip suppose. I just wanted to point out that there is another way cause it can and has burned me!!!
Also a while ago, as I mentioned earlier, all access-lists were outbound but I don't think anyone on this list is running 9.0 or earlier!! Dave "Roberts, Larry" wrote: > > Wow, that makes no sense. It must be a new feature.:) > > Anyways your right, I'm wrong. > > I would like to point out that if you are asked by Cisco to restrict access > to the router, If you want credit I would strongly > Advise using access-class statements. > > Remember the answer is the Cisco way, not always the right way. > > Thanks > > Larry > > -----Original Message----- > From: MADMAN [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 18, 2002 4:42 PM > To: Roberts, Larry > Cc: [EMAIL PROTECTED] > Subject: Re: Dening telnet access [7:35628] > > Heres the proof: > > interface FastEthernet0/0 > ip address 172.28.64.28 255.255.255.192 > ip access-group 150 in > ip directed-broadcast > duplex auto > speed auto > ! > access-list 150 deny tcp host 172.28.64.11 any eq telnet log > access-list 150 permit ip any any > ! > line con 0 > exec-timeout 0 0 > line aux 0 > line vty 0 4 > exec-timeout 0 0 > password cisco > logging synchronous > login > line vty 5 15 > login > > C2620B# > 3w3d: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.64.11(62978) -> > 172.28.64.28(23), 1 packet C2620B# > > Dave > > "Roberts, Larry" wrote: > > > > And for reference: > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgc > > r/fipr > > as_r/1rfip1.htm#xtocid1 > > > > Note that your source address is NOT on the same Ethernet subnet ( > > 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is > > being made. > > > > Put your machine on the 172.28.64.11 subnet and show me this getting > > dropped. > > > > Thanks > > > > Larry > > > > -----Original Message----- > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > Sent: Monday, February 18, 2002 3:21 PM > > To: Roberts, Larry > > Cc: [EMAIL PROTECTED] > > Subject: Re: Dening telnet access [7:35628] > > > > Not in my world: > > > > interface Ethernet4/0/0 > > bandwidth 1000 > > ip address 172.28.64.11 255.255.255.192 > > ip access-group 150 in > > no ip directed-broadcast > > no ip mroute-cache > > ! > > access-list 150 deny tcp host 172.28.56.48 any eq telnet log > > access-list 150 permit ip any any > > > > *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp > > 172.28.56.48(57010) - > > > 172.28.64.11(23), 1 packet > > > > Thank you!! > > > > Dave > > > > "Roberts, Larry" wrote: > > > > > > The only way that the access-list applied to the inbound interface ( > > > non-vty > > > ) blocked your telnet is if you were trying to telnet > > > To an address that was not the directly connected address ( loopback > > > or > > far > > > side serial/ethernet ) > > > > > > If you were to telnet directly to the interface that the access-list > > > was applied to you WOULD get in. Only an access-class applied To the > > > VTY ports will stop that. > > > > > > Thanks > > > > > > Larry > > > > > > -----Original Message----- > > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, February 18, 2002 1:05 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Dening telnet access [7:35628] > > > > > > I know it does. I have, even fairly recently, locked myself out of > > > a router via an inbound access list applied to an interface,DOH:( > > > Try again and if it doesn't work I would like to see the config. > > > > > > Are you sure the interface on which you applied the access list is > > > the interface you were telneting to/thru?? > > > > > > Dave > > > > > > Patrick Ramsey wrote: > > > > > > > > really? I have had no luck using inbound acl's to control telnet > > > > to the > > > router...I always have to use acc's on the vty's > > > > > > > > Is there a trick to this? > > > > > > > > -Patrick > > > > > > > > >>> MADMAN 02/18/02 12:16PM >>> > > > > Actually telnet packets are processed by inbound access-list. Now > > > > if your refering to outbound access-lists then you would be > > > > correct. > > > > > > > > Dave > > > > > > > > "Hire, Ejay" wrote: > > > > > > > > > > Because telnet packets destined for the router are not normally > > > > > processed > > > > by > > > > > access-lists. (i don't understand why not, but hey...) > > > > > > > > > > instead do this > > > > > > > > > > access-list y deny xx.xx.xx.xx xx.xx.xx.xx > > > > > > > > > > line vty 0 n (n = the results of a ?, usually 4) access-class y > > > > > > > > > > -----Original Message----- > > > > > From: McHugh Randy [mailto:[EMAIL PROTECTED]] > > > > > Sent: Saturday, February 16, 2002 4:49 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: Dening telnet access [7:35628] > > > > > > > > > > Access list problem: > > > > > > > > > > Why does this extended access list not work to deny telnet > > > > > access applied > > > > to > > > > > the internet interface on a 2514? > > > > > > > > > > Extended IP access list 199 > > > > > deny tcp any any eq telnet > > > > > > > > > > interface Ethernet0 > > > > > > > > > > ip access-group 199 in > > > > > > > > > > I have alot more statments than this and of course the statement > > > > > access-list 199 permit ip any any > > > > > > > > > > to take care of the implicit deny all , but I can still access > > > > > the router from the internet through telnet. Anyone have any > > > > > ideas what else might be needed to prevent of selectivly allow > > > > > telnet access to my router. Thanks, Randy > > > > -- > > > > David Madland > > > > Sr. Network Engineer > > > > CCIE# 2016 > > > > Qwest Communications Int. Inc. > > > > [EMAIL PROTECTED] > > > > 612-664-3367 > > > > > > > > "Emotion should reflect reason not guide it" > > > > >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files > > > transmitted with it may contain confidential and /or proprietary > > > information in the possession of WellStar Health System, Inc. > > > ("WellStar") and is intended only for the individual or entity to > > > whom addressed. This email may contain information that is held to > > > be privileged, confidential and exempt from disclosure under > > > applicable law. If the reader of this message is not the intended > > > recipient, you are hereby notified that any unauthorized access, > > > dissemination, distribution or copying of any information from this > > > email is strictly prohibited, and may subject you to criminal and/or > > > civil liability. If you have received this email in error, please > > > notify the sender by reply email and then delete this email and its > > > attachments from your computer. Thank you. > > > > > > > > ================================================================ > > > > > > -- > > > David Madland > > > Sr. Network Engineer > > > CCIE# 2016 > > > Qwest Communications Int. Inc. > > > [EMAIL PROTECTED] > > > 612-664-3367 > > > > > > "Emotion should reflect reason not guide it" > > > [EMAIL PROTECTED] > > > > -- > > David Madland > > Sr. Network Engineer > > CCIE# 2016 > > Qwest Communications Int. Inc. > > [EMAIL PROTECTED] > > 612-664-3367 > > > > "Emotion should reflect reason not guide it" > > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35791&t=35628 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
