Access-list Problems

Unanswered Question
Aug 12th, 2007

I'm trying to configure the following access-list on my lab from the sybex book:

Create an access-list on the 2600A router to block telnet access into the 172.16.60.0 network, but still allow Hosts G and H to ping HostE.

2600A#config t

2600A(config)#access-list 110 deny tcp host 172.16.80.3 172.16.60.0 0.0.0.255 eq telnet

2600A(config)#access-list 110 deny tcp host 172.16.90.3 172.16.60.0 0.0.0.255 eq telnet

2600A(config)#access-list 110 permit ip any any

This access-list blocked source addresses 172.16.80.3 and 172.16.90.3 from telneting into 172.16.60.0. See chapter 9 of the Sybex CCNA Study Guide for information on the wildcard configuration.

The problem is that I can still telnet from the .80.3 and .90.3 workstations.

Apply this access-list to the serial interface 0 of the 2600A router to filter the packets coming into the router.

2600A(config)#interface serial 0/0

2600A(config-if)#ip access-group 110 in

2600A(config-if)#^z

2600A#

The lab is configured word for word from the book.

Any ideas as to why the access list isnt working?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Sun, 08/12/2007 - 11:22

Which direction are the hosts 172.16.80.3 and 172.16.90.3 are located from the 2600A Router's perspective ?

Based on your access-group, the only way that would work is if both of those hosts are coming into the network via the serial interface.

If those hosts are sitting behind the 2600A Router and they are coming via the LAN interface and exiting via the serial interface, you must place an 'ip access-group 110 out' not 'in'.

HTH,

Actions

This Discussion