access-list

mohammady · ‎09-10-2008

I need to prevent telnet access to a server connected to f0/0 interface from internet to achieve this I created the following access-list:

deny tcp any x.x.x.x eq 23

permit ip any any

I applied it to outbound direction on the f0/0 interface,....but didnt work??!!

any suggestion???

francisco_1 · ‎09-10-2008

interface ethernet0 (Public Interface)

ip access-group 102 in

!

access-list 102 deny tcp any x.x.x.x eq 23

access-list 102 permit ip any any

see this example http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#denytelnettraffic

francisco

Richard Burts · ‎09-11-2008

francisco

While we might agree that there is some efficiency in applying the access list as inbound on the public interface instead of outbound on the private interface (catch the traffic and deny it sooner) you are creating essentially the same access list as mohammad did. If it did not work as outbound on the private interface I do not see what would make it work inbound on the public interface. Do you have a theory to explain that?

I believe that we need to investigate why the access list did not work for mohammad. If the x.x.x.x does correctly identify the server then it looks to me like his access list should have worked. Perhaps mohammad can supply a bit more detail about the topology of his network and the interface config where he attempted his access list. That might give us a better understanding of the issue.

HTH

Rick

HTH

Rick

amikat · ‎09-11-2008

Hi,

your deny statement as displayed would not be accepted by IOS. To prevent telnet just to one server this could be written as:

deny tcp any host x.x.x.x eq 23 or you can use wildcard 0.0.0.0, ie:

deny tcp any x.x.x.x 0.0.0.0 eq 23.

To my experience wildcards can be easily be misunderstood.

Can you please show the access-list commands exactly as you have typed these.

Best regards,

Antonin