12-30-2003 04:32 AM - edited 02-20-2020 09:23 PM
Hi,
I have an urgent question,
- I'm applying ACL on 8 routers, 2 are 7507 and 6 are 2522. I have used named access-lists and they r working fine with the 7507 routers,
- After applying the named ACL on 2522 routers i found that they r not applied and no matches displayed when i show the access-lists.
- I changed to numbered access-lists and then i get some hits but still running in a problem that i can telnet from the router even though i didn't permit it.
- i put in the first line "deny tcp any any eq 23". I enabled the debugging of this list and i can see that the routers denies the telnet packet but i'm still able to telnet.
- How can i proceed to solve this problem, by the way 2522 routers are running 12.2 IOS.
Thanks
Ahmed
12-30-2003 05:41 AM
post the running-config of the router, because it's difficult to identify problem without that,
if you want to permit a particular IP, do the following configuration
Router#conf t
Router(config)#access-list 10 permit x.x.x.x
Router(config)#line vty 0 4
Router(line-config)#access-class 10 in
(only x.x.x.x will be permited)
if you want to view any IP trying to connect to the router that does not have permission use the following access-list
access-list 10 permit x.x.x.x
access-list 10 deny any log
if you want to disable telnet, do the following:
Router(line-config)# transport input none
I hope that this will solve your problem,if not post the running-configuration, and you shouldn't deny telnet on interfaces, because it is possible that you apply an access-list on an interface, but you can connect through other interface if you have IP connectivity.
hope it helps
12-30-2003 10:04 AM
Thanks for the fast reply, yes the running-conf may help but i need to clarify some information:
- I apply the access-lists as outbound on all the serial interfaces, i assume that no telnet packets should pass throuth the interface.
- It is a requirement from the customer to have the ACL as outbound, i can't change this.
Here is the run-conf. before the ACL applied: -
------------------ show running-config ------------------
Building configuration...
Current configuration:
!
! Last configuration change at 13:20:24 CAT-4 Tue Oct 30 2001 by rt2522_admin
! NVRAM config last updated at 20:11:27 CAT-4 Wed Nov 14 2001 by rt2522_admin
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rt2522
!
logging buffered 40960 debugging
aaa new-model
aaa authentication login default group tacacs+
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
enable secret 5
!
!
!
!
!
clock timezone CAT-4
ip subnet-zero
ip domain-name
ip name-server
ip name-server
!
!
!
process-max-time 200
!
interface Ethernet0
ip address 192.168.13.200 255.255.255.0 secondary
ip address 195.1.1.177 255.255.255.240
no ip directed-broadcast
!
interface Serial0
description
ip address 194.1.1.90 255.255.255.252
no ip directed-broadcast
!
interface Serial1
ip address 194.1.1.94 255.255.255.252
no ip directed-broadcast
!
interface Serial2
description power alarm 1
no ip address
no ip directed-broadcast
no ignore-hw local-loopback
!
interface Serial3
description power alarm 2
no ip address
no ip directed-broadcast
no ignore-hw local-loopback
!
interface Serial4
description
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface Serial5
description
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface Serial6
description
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface Serial7
description
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface Serial8
description
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface Serial9
description
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface BRI0
no ip address
no ip directed-broadcast
shutdown
isdn guard-timer 0 on-expiry accept
!
router ospf 100
network 192.168.13.0 0.0.0.255 area 0.0.0.5
network 194.1.1.88 0.0.0.3 area 0.0.0.5
network 194.1.1.92 0.0.0.3 area 0.0.0.5
network 195.1.1.176 0.0.0.15 area 0.0.0.5
!
no ip classless
no ip http server
!
logging trap debugging
logging
tacacs-server host
tacacs-server key
snmp-server engineID local 0000000902000050547FC1CF
snmp-server community
snmp-server community
snmp-server community
snmp-server enable traps snmp
snmp-server host
privilege exec level 3 enable
!
line con 0
transport input none
line aux 0
line vty 0 4
password
!
ntp clock-period 17180146
ntp server 193.1.1.200 prefer
ntp server 193.1.1.202
end
then i applied the following ACL "note that the first line added after finding that telnet is still go through"
access-list 105 deny tcp any any eq 23
access-list 105 permit icmp any any
access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.69
access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.71
access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.200
access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.201
access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.202
access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.203
access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.200
access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.201
access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.202
access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.203
access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.200
access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.201
access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.202
access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.203
then i applied the ACL using the command:
#ip access-group 105 out
the command applied on S0 and S1 only as they are the E1 links "no other way for IP packets except these 2 interfaces".
I hope this helps.
Ahmed
12-30-2003 02:33 PM
Ahmed,
Let me explain you what I know about your situation with Cisco 2522s, you deny Telnet traffic from your customers (except some specific IP addresses) through serial interfaces, but when you try to connect from the router itself (the same cisco 2522) the telnet is allowed, if so
(even though that current configuration must have been worked, I mean I didn't notice any thing wrong) try this command
Router(line-config)# transport output none
(beware that this command disables telnet for all outgoing connections from that router)
hope it'll help
12-30-2003 03:28 PM
hi mesuti,
Thanks for the reply, i will try this command, but this can work for telnet only, the access-list will include many other protocols and it might not work :( ... If there is no problem in the configurations, what can i expect is it the IOS version or the router model?
Thanks
Ahmed
02-05-2004 07:52 PM
Ahmed,
Let me offer a couple suggestions. If your customer requires you to have the ACL placed outbound, you can have an outbound and inbound ACL listed on the same interface. My personal approach to this would be restructure the above ACL to be the following and apply it inbound on the ethernet interface that connects to the inside users:
access-list 105 deny tcp any any eq 23
access-list 105 permit icmp any any
access-list 105 permit tcp host 193.1.1.69 195.1.1.128 0.0.0.15 eq telnet
access-list 105 permit tcp host 193.1.1.71 195.1.1.128 0.0.0.15 eq telnet
access-list 105 permit tcp host 193.1.1.200 195.1.1.128 0.0.0.15 eq telnet
access-list 105 permit tcp host 193.1.1.201 195.1.1.128 0.0.0.15 eq telnet
access-list 105 permit tcp host 193.1.1.202 195.1.1.128 0.0.0.15 eq telnet
access-list 105 permit tcp host 193.1.1.203 195.1.1.128 0.0.0.15 eq telnet
access-list 105 permit tcp host 193.1.1.200 host 194.1.1.66 eq telnet
access-list 105 permit tcp host 193.1.1.201 host 194.1.1.66 eq telnet
access-list 105 permit tcp host 193.1.1.202 host 194.1.1.66 eq telnet
access-list 105 permit tcp host 193.1.1.203 host 194.1.1.66 eq telnet
access-list 105 permit tcp host 193.1.1.200 host 194.1.1.70 eq telnet
access-list 105 permit tcp host 193.1.1.201 host 194.1.1.70 eq telnet
access-list 105 permit tcp host 193.1.1.202 host 194.1.1.70 eq telnet
access-list 105 permit tcp host 193.1.1.203 host 194.1.1.70 eq telnet
interface ethernet0
ip access-group 105 in
next create another inbound access-list that will filter traffic from the internet and apply them inbound on the serial interfaces.
The problem with the above ACL is that it will not apply to packets as they enter the router but only as they leave. From a security standpoint, I prefer to have rules apply to traffic in all directions.
02-05-2004 07:54 PM
Sorry, take out the top line of that ACL. Apply your inbound telnet access on the serial interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide