×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACL to access with telnet on my Router 837

Unanswered Question
Mar 16th, 2006
User Badges:

Hi,

i have a router 837 with one interface adsl and one loopback interface configured all two interface with pubblic ip address.

I would want make acl that permit me to telnet in loopaback interface but not in adsl (atm 0.1) interface.

I have tried with access list and access class but the access list was applied to all interface.

Thanks



Example:

interface loopback 0

ip address xx.xx.xx.231 255.255.255.252


interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address xx.xx.xx.230 255.255.255.252


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.3 (3 ratings)
Loading.
pkhatri Thu, 03/16/2006 - 09:23
User Badges:
  • Purple, 4500 points or more

Try this:


access-list 101 permit ip any host x.x.x.231


line vty 0 4

access-class 101 in


Hope that helps - pls rate the post if it does.

Paresh

e.deangelis Fri, 03/17/2006 - 00:45
User Badges:

Hi Paresh,

thanks for your reply, but i not work.

Strange, but i not telnet router in any interface with this acl.


pkhatri Fri, 03/17/2006 - 00:49
User Badges:
  • Purple, 4500 points or more

Do you have any ACLs applied on any of the interfaces at all ?


Paresh

e.deangelis Fri, 03/17/2006 - 01:47
User Badges:

Hi,

in loopback interface no.

I have acl in ethernet interface.


ip access-list extended FIREWALL

access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.149.0 0.0.0.255

access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.150.0 0.0.0.255

access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 110 permit tcp any any eq www

access-list 110 permit tcp any any eq 443

access-list 110 permit tcp any any eq domain

access-list 110 permit icmp any any echo

access-list 110 permit tcp any eq ftp-data any gt 1023

access-list 110 permit tcp any eq ftp any gt 1023

nethelper Fri, 03/17/2006 - 03:49
User Badges:
  • Silver, 250 points or more

Hello,


try and add a log statement to the access list:


access-list 110 deny ip any any log


If your access is blocked by the access list, it should show in the console output of your router.

You could also try and add the following to your access list:


access-list 110 permit tcp any any eq telnet


Regards,


Nethelper

e.deangelis Fri, 03/17/2006 - 04:12
User Badges:

Nethelper,

thanks in advance,

but i have a problem on loopback interface.


i have two external interface, atm 0.1 with ip of provider and loopback interface with my ip address.

I want that the telnet work only on the loopback interface.


see my example configuration.

Thanks

nethelper Fri, 03/17/2006 - 04:57
User Badges:
  • Silver, 250 points or more

Hello,


understood, but keep in mind that the Loopback interface is not an external interface, it is just a virtual interface that is neither internal nor external. If your TELNET clients are coming from behind the Ethernet0 interface, the access list you applied to that interface will block access to the Loopback interface, that is why I recommended the additions to the access list.

Check the access list operation first by adding the ´log´ keyword to the deny statement as described, and if you see that the access list blocks your Telnet access, add the line:


access-list 110 permit tcp any host x.x.x.231 eq telnet


Does that make sense ?


Regards,


Nethelper

e.deangelis Fri, 03/17/2006 - 05:30
User Badges:

ok thanks,

please see my config:


I would want telnet only in loopback interface.

Thanks

_________________________


!

version 12.3

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname ******

!

enable password ******

!

username ***** privilege 15 password *******

aaa new-model

!

!

aaa authentication login console enable

aaa authentication login telnet local

aaa authentication ppp default none

aaa authorization exec console none

aaa authorization exec telnet local

aaa session-id common

ip subnet-zero

!

!

ip multicast-routing

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 11

hash md5

authentication pre-share

crypto isakmp key 6 ******** address xxx.xxx.xxx.xxx

!

!

crypto ipsec transform-set VPN esp-des esp-md5-hmac

!

crypto map nolan 11 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set VPN

match address 120

!

!

!

!

interface Loopback0

ip address yyy.yyy.yyy.218 255.255.255.248

crypto map nolan

!

interface Ethernet0

ip address 192.168.13.1 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address xxx.xxx.xxx.230 255.255.255.252

ip nat outside

pvc 8/35

encapsulation aal5snap

!

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 101 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xyz.229

ip route 192.168.17.0 255.255.255.0 Loopback0

ip route 192.168.149.0 255.255.255.0 Loopback0

ip route 192.168.150.0 255.255.255.0 Loopback0

no ip http server

no ip http secure-server

!

access-list 101 deny ip any 192.168.149.0 0.0.0.255

access-list 101 deny ip any 192.168.150.0 0.0.0.255

access-list 101 deny ip any 192.168.17.0 0.0.0.255

access-list 101 permit ip 192.168.13.0 0.0.0.255 any

access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.149.0 0.0.0.255

access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.150.0 0.0.0.255

access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.17.0 0.0.0.255

!

line con 0

authorization exec console

login authentication console

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 30 0

password *********

authorization exec telnet

login authentication telnet

length 0

!

scheduler max-task-time 5000

!

end

Actions

This Discussion