Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL help

Im trying to prevent telnet access into my core switch from a guest vlan, and for the most part everything is working well. I have one issue though, and that is that I can telnet to the device from the guest vlan, and I dont want that to happen. Can someone please give me some guidance on what should be in my ACL? See ACL below. It is applied to the guest vlan, and everything except the telnet part works. I do not even see anything hitting the ACL in that part of it. Thanks. Host is 192.168.255.1.

deny tcp any eq telnet host 192.168.255.1 eq telnet

permit 80 192.168.255.0 0.0.0.255 host 10.1.1.1

permit udp 192.168.255.0 0.0.0.255 eq isakmp host 10.1.1.1 eq isakmp

permit tcp 192.168.255.0 0.0.0.255 eq 1723 host 10.1.1.1 eq 1723

permit tcp 192.168.255.0 0.0.0.255 eq 1701 host 10.1.1.1 eq 1701

permit tcp 192.168.255.0 0.0.0.255 eq 443 host 10.1.1.1 eq 443

deny ip any 10.0.0.0 0.255.255.255

deny icmp any host 192.168.255.1

deny tcp any eq ftp-data any eq ftp-data

deny tcp any eq ftp any eq ftp

deny tcp any eq 22 any eq 22

permit ip any any

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: ACL help

this is wrong:

deny tcp any eq telnet host 192.168.255.1 eq telnet

should be:

deny tcp any host 192.168.255.1 eq telnet

4 REPLIES
Gold

Re: ACL help

this is wrong:

deny tcp any eq telnet host 192.168.255.1 eq telnet

should be:

deny tcp any host 192.168.255.1 eq telnet

Hall of Fame Super Silver

Re: ACL help

Mike

Your access list has several entries where the source port and the destination port are the same. As Steven points out this is generally not the case. The only one in your access list where it is correct to have the same source and destination is the one for isakmp. For FTP, ftp-data, ssh, etc it would be source or destination (depending on how the access list is to be applied).

HTH

Rick

New Member

Re: ACL help

Thanks all. Will go and try this real quick.

New Member

Re: ACL help

Yes, it all worked. Thanks again.

125
Views
4
Helpful
4
Replies