ACL to access with telnet on my Router 837

e.deangelis · ‎03-16-2006

Hi,

i have a router 837 with one interface adsl and one loopback interface configured all two interface with pubblic ip address.

I would want make acl that permit me to telnet in loopaback interface but not in adsl (atm 0.1) interface.

I have tried with access list and access class but the access list was applied to all interface.

Thanks

Example:

interface loopback 0

ip address xx.xx.xx.231 255.255.255.252

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address xx.xx.xx.230 255.255.255.252

pkhatri · ‎03-16-2006

Try this:

access-list 101 permit ip any host x.x.x.231

line vty 0 4

access-class 101 in

Hope that helps - pls rate the post if it does.

Paresh

e.deangelis · ‎03-17-2006

Hi Paresh,

thanks for your reply, but i not work.

Strange, but i not telnet router in any interface with this acl.

pkhatri · ‎03-17-2006

Do you have any ACLs applied on any of the interfaces at all ?

Paresh

e.deangelis · ‎03-17-2006

Hi,

in loopback interface no.

I have acl in ethernet interface.

ip access-list extended FIREWALL

access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.149.0 0.0.0.255

access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.150.0 0.0.0.255

access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 110 permit tcp any any eq www

access-list 110 permit tcp any any eq 443

access-list 110 permit tcp any any eq domain

access-list 110 permit icmp any any echo

access-list 110 permit tcp any eq ftp-data any gt 1023

access-list 110 permit tcp any eq ftp any gt 1023

nethelper · ‎03-17-2006

Hello,

try and add a log statement to the access list:

access-list 110 deny ip any any log

If your access is blocked by the access list, it should show in the console output of your router.

You could also try and add the following to your access list:

access-list 110 permit tcp any any eq telnet

Regards,

Nethelper

e.deangelis · ‎03-17-2006

Nethelper,

thanks in advance,

but i have a problem on loopback interface.

i have two external interface, atm 0.1 with ip of provider and loopback interface with my ip address.

I want that the telnet work only on the loopback interface.

see my example configuration.

Thanks

nethelper · ‎03-17-2006

Hello,

understood, but keep in mind that the Loopback interface is not an external interface, it is just a virtual interface that is neither internal nor external. If your TELNET clients are coming from behind the Ethernet0 interface, the access list you applied to that interface will block access to the Loopback interface, that is why I recommended the additions to the access list.

Check the access list operation first by adding the ´log´ keyword to the deny statement as described, and if you see that the access list blocks your Telnet access, add the line:

access-list 110 permit tcp any host x.x.x.231 eq telnet

Does that make sense ?

Regards,

Nethelper

e.deangelis · ‎03-17-2006

ok thanks,

please see my config:

I would want telnet only in loopback interface.

Thanks

_________________________

!

version 12.3

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname ******

!

enable password ******

!

username ***** privilege 15 password *******

aaa new-model

!

aaa authentication login console enable

aaa authentication login telnet local

aaa authentication ppp default none

aaa authorization exec console none

aaa authorization exec telnet local

aaa session-id common

ip subnet-zero

!

ip multicast-routing

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 11

hash md5

authentication pre-share

crypto isakmp key 6 ******** address xxx.xxx.xxx.xxx

!

crypto ipsec transform-set VPN esp-des esp-md5-hmac

!

crypto map nolan 11 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set VPN

match address 120

!

interface Loopback0

ip address yyy.yyy.yyy.218 255.255.255.248

crypto map nolan

!

interface Ethernet0

ip address 192.168.13.1 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address xxx.xxx.xxx.230 255.255.255.252

ip nat outside

pvc 8/35

encapsulation aal5snap

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 101 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xyz.229

ip route 192.168.17.0 255.255.255.0 Loopback0

ip route 192.168.149.0 255.255.255.0 Loopback0

ip route 192.168.150.0 255.255.255.0 Loopback0

no ip http server

no ip http secure-server

!

access-list 101 deny ip any 192.168.149.0 0.0.0.255

access-list 101 deny ip any 192.168.150.0 0.0.0.255

access-list 101 deny ip any 192.168.17.0 0.0.0.255

access-list 101 permit ip 192.168.13.0 0.0.0.255 any

access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.149.0 0.0.0.255

access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.150.0 0.0.0.255

access-list 120 permit ip 192.168.13.0 0.0.0.255 192.168.17.0 0.0.0.255

!

line con 0

authorization exec console

login authentication console

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 30 0

password *********

authorization exec telnet

login authentication telnet

length 0

!

scheduler max-task-time 5000

!

end