Re: Access-lists

marcalonzo · ‎12-30-2005

I have a small question. I have 2 networks (1 & 2 ) connected to a router on interface fa0/1 and fa0/2 respectively. I would like to deny telnet access from network 1 to network 2. With the condition that interface fa0/1 is configured access-group out.

Thank you,

Marc Alonzo

mheusinger · ‎12-31-2005

Hi,

interface Fa0/1

ip address 10.1.1.1 255.255.255.0

ip access-group 100 out

interface Fa0/2

ip address 192.168.2.2 255.255.255.128

access-list 100 deny tcp 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.127 eq telnet

access-list 100 permit ip any any

Hope this helps

Martin

marcalonzo · ‎12-31-2005

Dear Martin,

This configuration would be right if the interface fa0/1 is configured as ip access-group 100 in and not out.

I have tried as you have said but i can still telnet.

Thank you

Marc Alonzo

mheusinger · ‎12-31-2005

Hi,

strange ... from where to where are you doing the telnet?

Martin

Edit: Oops, yes this is exactly the question.

access-list 100 deny tcp 192.168.2.0 0.0.0.127 eq telnet 10.1.1.0 0.0.0.255

access-list 100 permit ip any any

This will do it.

marcalonzo · ‎12-31-2005

OK great it is working ... So we should just swap the source and destination address !

You have been very halpful

Thanks ...

mheusinger · ‎12-31-2005

Yes, because in the direction the traffic is checked by the access-list, the source is in 192.168.2.0 and the destination of the packet is in 10.1.1.0.

Happy New Year

Martin