12-30-2005 11:34 PM - edited 03-05-2019 11:44 AM
I have a small question. I have 2 networks (1 & 2 ) connected to a router on interface fa0/1 and fa0/2 respectively. I would like to deny telnet access from network 1 to network 2. With the condition that interface fa0/1 is configured access-group out.
Thank you,
Marc Alonzo
12-31-2005 02:26 AM
Hi,
interface Fa0/1
ip address 10.1.1.1 255.255.255.0
ip access-group 100 out
interface Fa0/2
ip address 192.168.2.2 255.255.255.128
access-list 100 deny tcp 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.127 eq telnet
access-list 100 permit ip any any
Hope this helps
Martin
12-31-2005 03:19 AM
Dear Martin,
This configuration would be right if the interface fa0/1 is configured as ip access-group 100 in and not out.
I have tried as you have said but i can still telnet.
Thank you
Marc Alonzo
12-31-2005 03:31 AM
Hi,
strange ... from where to where are you doing the telnet?
Martin
Edit: Oops, yes this is exactly the question.
access-list 100 deny tcp 192.168.2.0 0.0.0.127 eq telnet 10.1.1.0 0.0.0.255
access-list 100 permit ip any any
This will do it.
12-31-2005 04:00 AM
OK great it is working ... So we should just swap the source and destination address !
You have been very halpful
Thanks ...
12-31-2005 04:15 AM
Yes, because in the direction the traffic is checked by the access-list, the source is in 192.168.2.0 and the destination of the packet is in 10.1.1.0.
Happy New Year
Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: