Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
6
Replies

IOS vs ACL

Go to solution
ROBERTO TACCON
Level 4
Level 4

‎12-11-2003 02:55 AM - edited ‎03-02-2019 12:17 PM

Hi,

can someone tell me why i can telnet to this router 81.1.1.96 from the internet ?

router#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH2, EARLY DEPLOYMENT RELEASE SOFTWA

RE (fc1)

Synched to technology version 12.2(14.5)T

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Tue 22-Jul-03 09:37 by ealyon

Image text-base: 0x800131E8, data-base: 0x80AA14DC

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH2, EARLY DEPLOYMENT RELEASE SOFTWARE (

fc1)

Lindo uptime is 1 week, 1 day, 42 minutes

System returned to ROM by power-on

System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin"

CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of memory.

Processor board ID AMB07390HG6 (3499136320), with hardware revision 0000

CPU rev number 7

Bridging software.

1 Ethernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

128K bytes of non-volatile configuration memory.

12288K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

router#

router#

router#sh ip int brief

Interface IP-Address OK? Method Status Protocol

Ethernet0 10.0.0.254 YES manual up up

ATM0 unassigned YES NVRAM up up

ATM0.1 81.1.1.96 YES TFTP up up

Loopback0 81.1.1.96 YES NVRAM up up

router#

router#sh run

Building configuration...

Current configuration : 1737 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

logging queue-limit 100

enable password xxx

!

ip subnet-zero

!

!

ip inspect audit-trail

ip inspect max-incomplete low 50

ip inspect max-incomplete high 100

ip inspect one-minute low 50

ip inspect one-minute high 100

ip inspect name myfw cuseeme

ip inspect name myfw ftp

ip inspect name myfw rcmd

ip inspect name myfw realaudio

ip inspect name myfw smtp

ip inspect name myfw tftp

ip inspect name myfw udp

ip inspect name myfw tcp

ip inspect name myfw http java-list 11

ip inspect name myfw h323

ip inspect name myfw sqlnet

ip inspect name myfw vdolive

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Loopback0

ip address 81.1.1.96 255.255.255.255

!

interface Ethernet0

description Lan Internal

ip address 10.0.0.254 255.255.255.0

ip nat inside

load-interval 30

hold-queue 100 out

!

interface ATM0

bandwidth 192

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description "adsl connection number xxxxxx"

ip unnumbered Loopback0

ip access-group 101 in

ip nat outside

pvc provider 8/35

protocol ip 6.6.6.6

oam-pvc manage

encapsulation aal5snap

!

!

ip nat translation timeout 120

ip nat inside source list 10 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1 6.6.6.6

no ip http server

no ip http secure-server

!

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 11 permit any

!

line con 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password xxx

login

!

scheduler max-task-time 5000

!

end

router#

router#

router#sh ip int

ATM0 is up, line protocol is up

Internet protocol processing disabled

ATM0.1 is up, line protocol is up

Interface is unnumbered. Using address of Loopback0 (81.1.1.96)

Broadcast address is 255.255.255.255

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is 101

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is disabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is disabled

IP Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain outside

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

Ethernet0 is up, line protocol is up

Internet address is 10.0.0.254/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is disabled

IP Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain inside

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

Loopback0 is up, line protocol is up

Internet address is 81.1.1.96/32

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1514 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is disabled

IP Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

router#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ruwhite
Level 7
Level 7

‎12-11-2003 03:20 AM

You have access-list 10 and 11 defined, but not applied anyplace, and you have access list 101 applied, but not defined. What would be preventing anyone from telnetting to the router? Did you intend to apply access list 10 to the inbound vty sessions?

Russ.W

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ruwhite
Level 7
Level 7

‎12-11-2003 03:20 AM

You have access-list 10 and 11 defined, but not applied anyplace, and you have access list 101 applied, but not defined. What would be preventing anyone from telnetting to the router? Did you intend to apply access list 10 to the inbound vty sessions?

Russ.W

0 Helpful

Go to solution
ROBERTO TACCON
Level 4
Level 4
In response to ruwhite

‎12-11-2003 03:36 AM

The access-list 10 is applied on the NAT.

As you tell me the access-list 101 is applied on the ATM subinterface but non defined. (which tell permit any any)

Thanks for the reply

0 Helpful

Go to solution
d.vasilev
Level 1
Level 1

‎12-11-2003 06:18 AM

The commnad syntax you can use to protect telneting the router from the Internet is:

access-list 101 deny tcp any any eq 23

access-list 101 permit ip any any

Cheers,

Mitko

0 Helpful

Go to solution
rgrcommo
Level 1
Level 1

‎12-11-2003 10:41 PM

See your running CBAC but its not defined on any interface - i.e

e0

ip inspect myfw

!

-Jeff

0 Helpful

Go to solution
tomanderin
Level 1
Level 1

‎12-13-2003 03:38 AM

do you want to remove all telnet access from the router?

if so just remove the password from the line vty

do you want to restrict telnet from certain sources?

if so, configure on the line vty

access-class x in

transport input telnet

0 Helpful

Go to solution
tomanderin
Level 1
Level 1
In response to tomanderin

‎12-13-2003 03:42 AM

or even "to" the router

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents