03-16-2006 09:17 AM - edited 03-05-2019 11:48 AM
Hi,
i have a router 837 with one interface adsl and one loopback interface configured all two interface with pubblic ip address.
I would want make acl that permit me to telnet in loopaback interface but not in adsl (atm 0.1) interface.
I have tried with access list and access class but the access list was applied to all interface.
Thanks
Example:
interface loopback 0
ip address xx.xx.xx.231 255.255.255.252
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address xx.xx.xx.230 255.255.255.252
03-16-2006 09:23 AM
Try this:
access-list 101 permit ip any host x.x.x.231
line vty 0 4
access-class 101 in
Hope that helps - pls rate the post if it does.
Paresh
03-17-2006 12:45 AM
Hi Paresh,
thanks for your reply, but i not work.
Strange, but i not telnet router in any interface with this acl.
03-17-2006 12:49 AM
Do you have any ACLs applied on any of the interfaces at all ?
Paresh
03-17-2006 01:47 AM
Hi,
in loopback interface no.
I have acl in ethernet interface.
ip access-list extended FIREWALL
access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.149.0 0.0.0.255
access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
access-list 110 permit tcp any any eq domain
access-list 110 permit icmp any any echo
access-list 110 permit tcp any eq ftp-data any gt 1023
access-list 110 permit tcp any eq ftp any gt 1023
03-17-2006 03:49 AM
Hello,
try and add a log statement to the access list:
access-list 110 deny ip any any log
If your access is blocked by the access list, it should show in the console output of your router.
You could also try and add the following to your access list:
access-list 110 permit tcp any any eq telnet
Regards,
Nethelper
03-17-2006 04:12 AM
Nethelper,
thanks in advance,
but i have a problem on loopback interface.
i have two external interface, atm 0.1 with ip of provider and loopback interface with my ip address.
I want that the telnet work only on the loopback interface.
see my example configuration.
Thanks
03-17-2006 04:57 AM
Hello,
understood, but keep in mind that the Loopback interface is not an external interface, it is just a virtual interface that is neither internal nor external. If your TELNET clients are coming from behind the Ethernet0 interface, the access list you applied to that interface will block access to the Loopback interface, that is why I recommended the additions to the access list.
Check the access list operation first by adding the ´log´ keyword to the deny statement as described, and if you see that the access list blocks your Telnet access, add the line:
access-list 110 permit tcp any host x.x.x.231 eq telnet
Does that make sense ?
Regards,
Nethelper
03-17-2006 05:30 AM
ok thanks,
please see my config:
I would want telnet only in loopback interface.
Thanks
_________________________
!
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ******
!
enable password ******
!
username ***** privilege 15 password *******
aaa new-model
!
!
aaa authentication login console enable
aaa authentication login telnet local
aaa authentication ppp default none
aaa authorization exec console none
aaa authorization exec telnet local
aaa session-id common
ip subnet-zero
!
!
ip multicast-routing
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key 6 ******** address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set VPN esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set VPN
match address 120
!
!
!
!
interface Loopback0
ip address yyy.yyy.yyy.218 255.255.255.248
crypto map nolan
!
interface Ethernet0
ip address 192.168.13.1 255.255.255.0
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address xxx.xxx.xxx.230 255.255.255.252
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 101 interface Loopback0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xyz.229
ip route 192.168.17.0 255.255.255.0 Loopback0
ip route 192.168.149.0 255.255.255.0 Loopback0
ip route 192.168.150.0 255.255.255.0 Loopback0
no ip http server
no ip http secure-server
!
access-list 101 deny ip any 192.168.149.0 0.0.0.255
access-list 101 deny ip any 192.168.150.0 0.0.0.255
access-list 101 deny ip any 192.168.17.0 0.0.0.255
access-list 101 permit ip 192.168.13.0 0.0.0.255 any
access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.149.0 0.0.0.255
access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.17.0 0.0.0.255
!
line con 0
authorization exec console
login authentication console
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
password *********
authorization exec telnet
login authentication telnet
length 0
!
scheduler max-task-time 5000
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: