Solved: ACL help

mikedurbin · ‎05-12-2008

Im trying to prevent telnet access into my core switch from a guest vlan, and for the most part everything is working well. I have one issue though, and that is that I can telnet to the device from the guest vlan, and I dont want that to happen. Can someone please give me some guidance on what should be in my ACL? See ACL below. It is applied to the guest vlan, and everything except the telnet part works. I do not even see anything hitting the ACL in that part of it. Thanks. Host is 192.168.255.1.

deny tcp any eq telnet host 192.168.255.1 eq telnet

permit 80 192.168.255.0 0.0.0.255 host 10.1.1.1

permit udp 192.168.255.0 0.0.0.255 eq isakmp host 10.1.1.1 eq isakmp

permit tcp 192.168.255.0 0.0.0.255 eq 1723 host 10.1.1.1 eq 1723

permit tcp 192.168.255.0 0.0.0.255 eq 1701 host 10.1.1.1 eq 1701

permit tcp 192.168.255.0 0.0.0.255 eq 443 host 10.1.1.1 eq 443

deny ip any 10.0.0.0 0.255.255.255

deny icmp any host 192.168.255.1

deny tcp any eq ftp-data any eq ftp-data

deny tcp any eq ftp any eq ftp

deny tcp any eq 22 any eq 22

permit ip any any

srue · ‎05-12-2008

this is wrong:

deny tcp any eq telnet host 192.168.255.1 eq telnet

should be:

deny tcp any host 192.168.255.1 eq telnet

View solution in original post

srue · ‎05-12-2008

this is wrong:

deny tcp any eq telnet host 192.168.255.1 eq telnet

should be:

deny tcp any host 192.168.255.1 eq telnet

Richard Burts · ‎05-12-2008

Mike

Your access list has several entries where the source port and the destination port are the same. As Steven points out this is generally not the case. The only one in your access list where it is correct to have the same source and destination is the one for isakmp. For FTP, ftp-data, ssh, etc it would be source or destination (depending on how the access list is to be applied).

HTH

Rick

HTH

Rick

mikedurbin · ‎05-12-2008

Thanks all. Will go and try this real quick.

mikedurbin · ‎05-12-2008

Yes, it all worked. Thanks again.