Dave is right...
r7#sh run int e0
Building configuration...
Current configuration : 128 bytes
!
interface Ethernet0
ip address 10.10.10.77 255.255.255.0
ip access-group 101 in
no ip route-cache
no ip mroute-cache
end
r7#sh access-lists
Extended IP access list 101
deny tcp any any eq telnet log (2 matches)
permit ip any any (32 matches)
r7#
04:08:59: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.222(11010) ->
10.10.10.77(23), 1 packet
r7#
04:10:18: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.10.10.111(11017) ->
10.10.10.77(23), 1 packet
CM
----- Original Message -----
From: "Roberts, Larry"
To:
Sent: Monday, February 18, 2002 9:00 PM
Subject: RE: Dening telnet access [7:35628]
> And for reference:
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
> as_r/1rfip1.htm#xtocid1
>
> Note that your source address is NOT on the same Ethernet subnet (
> 172.28.64.11/26 )
> Your coming from 172.28.56.48. A routing decision is being made.
>
> Put your machine on the 172.28.64.11 subnet and show me this getting
> dropped.
>
>
>
> Thanks
>
> Larry
>
> -----Original Message-----
> From: MADMAN [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 18, 2002 3:21 PM
> To: Roberts, Larry
> Cc: [EMAIL PROTECTED]
> Subject: Re: Dening telnet access [7:35628]
>
>
>
> Not in my world:
>
> interface Ethernet4/0/0
> bandwidth 1000
> ip address 172.28.64.11 255.255.255.192
> ip access-group 150 in
> no ip directed-broadcast
> no ip mroute-cache
> !
> access-list 150 deny tcp host 172.28.56.48 any eq telnet log
> access-list 150 permit ip any any
>
> *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp
> 172.28.56.48(57010) -
> > 172.28.64.11(23), 1 packet
>
> Thank you!!
>
> Dave
>
> "Roberts, Larry" wrote:
> >
> > The only way that the access-list applied to the inbound interface (
> > non-vty
> > ) blocked your telnet is if you were trying to telnet
> > To an address that was not the directly connected address ( loopback or
> far
> > side serial/ethernet )
> >
> > If you were to telnet directly to the interface that the access-list
> > was applied to you WOULD get in. Only an access-class applied To the
> > VTY ports will stop that.
> >
> > Thanks
> >
> > Larry
> >
> > -----Original Message-----
> > From: MADMAN [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, February 18, 2002 1:05 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Dening telnet access [7:35628]
> >
> > I know it does. I have, even fairly recently, locked myself out of a
> > router via an inbound access list applied to an interface,DOH:( Try
> > again and if it doesn't work I would like to see the config.
> >
> > Are you sure the interface on which you applied the access list is
> > the interface you were telneting to/thru??
> >
> > Dave
> >
> > Patrick Ramsey wrote:
> > >
> > > really? I have had no luck using inbound acl's to control telnet to
> > > the
> > router...I always have to use acc's on the vty's
> > >
> > > Is there a trick to this?
> > >
> > > -Patrick
> > >
> > > >>> MADMAN 02/18/02 12:16PM >>>
> > > Actually telnet packets are processed by inbound access-list. Now
> > > if your refering to outbound access-lists then you would be correct.
> > >
> > > Dave
> > >
> > > "Hire, Ejay" wrote:
> > > >
> > > > Because telnet packets destined for the router are not normally
> > > > processed
> > > by
> > > > access-lists. (i don't understand why not, but hey...)
> > > >
> > > > instead do this
> > > >
> > > > access-list y deny xx.xx.xx.xx xx.xx.xx.xx
> > > >
> > > > line vty 0 n (n = the results of a ?, usually 4) access-class y
> > > >
> > > > -----Original Message-----
> > > > From: McHugh Randy [mailto:[EMAIL PROTECTED]]
> > > > Sent: Saturday, February 16, 2002 4:49 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Dening telnet access [7:35628]
> > > >
> > > > Access list problem:
> > > >
> > > > Why does this extended access list not work to deny telnet access
> > > > applied
> > > to
> > > > the internet interface on a 2514?
> > > >
> > > > Extended IP access list 199
> > > > deny tcp any any eq telnet
> > > >
> > > > interface Ethernet0
> > > >
> > > > ip access-group 199 in
> > > >
> > > > I have alot more statments than this and of course the statement
> > > > access-list 199 permit ip any any
> > > >
> > > > to take care of the implicit deny all , but I can still access the
> > > > router from the internet through telnet. Anyone have any ideas
> > > > what else might be needed to prevent of selectivly allow telnet
> > > > access to my router. Thanks, Randy
> > > --
> > > David Madland
> > > Sr. Network Engineer
> > > CCIE# 2016
> > > Qwest Communications Int. Inc.
> > > [EMAIL PROTECTED]
> > > 612-664-3367
> > >
> > > "Emotion should reflect reason not guide it"
> > > >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files
> > transmitted with it may contain confidential and /or proprietary
> > information in the possession of WellStar Health System, Inc.
> > ("WellStar") and is intended only for the individual or entity to whom
> > addressed. This email may contain information that is held to be
> > privileged, confidential and exempt from disclosure under applicable
> > law. If the reader of this message is not the intended recipient, you
> > are hereby notified that any unauthorized access, dissemination,
> > distribution or copying of any information from this email is strictly
> > prohibited, and may subject you to criminal and/or civil liability. If
> > you have received this email in error, please notify the sender by
> > reply email and then delete this email and its attachments from your
> > computer. Thank you.
> > >
> > > ================================================================
> >
> > --
> > David Madland
> > Sr. Network Engineer
> > CCIE# 2016
> > Qwest Communications Int. Inc.
> > [EMAIL PROTECTED]
> > 612-664-3367
> >
> > "Emotion should reflect reason not guide it"
> --
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
>
> "Emotion should reflect reason not guide it"
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35811&t=35628
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
