access-list

Unanswered Question
Sep 10th, 2008
User Badges:

I need to prevent telnet access to a server connected to f0/0 interface from internet to achieve this I created the following access-list:

deny tcp any x.x.x.x eq 23

permit ip any any

I applied it to outbound direction on the f0/0 interface,....but didnt work??!!

any suggestion???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 09/11/2008 - 04:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

francisco


While we might agree that there is some efficiency in applying the access list as inbound on the public interface instead of outbound on the private interface (catch the traffic and deny it sooner) you are creating essentially the same access list as mohammad did. If it did not work as outbound on the private interface I do not see what would make it work inbound on the public interface. Do you have a theory to explain that?


I believe that we need to investigate why the access list did not work for mohammad. If the x.x.x.x does correctly identify the server then it looks to me like his access list should have worked. Perhaps mohammad can supply a bit more detail about the topology of his network and the interface config where he attempted his access list. That might give us a better understanding of the issue.


HTH


Rick

amikat Thu, 09/11/2008 - 04:04
User Badges:
  • Silver, 250 points or more

Hi,


your deny statement as displayed would not be accepted by IOS. To prevent telnet just to one server this could be written as:

deny tcp any host x.x.x.x eq 23 or you can use wildcard 0.0.0.0, ie:

deny tcp any x.x.x.x 0.0.0.0 eq 23.

To my experience wildcards can be easily be misunderstood.

Can you please show the access-list commands exactly as you have typed these.


Best regards,


Antonin

Actions

This Discussion