Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

basic help with access-lists


My router has a serial interface and an ethernet interface. The serial interface connects me to my ISP and the ethernet interface to my local LAN.

I only have an access-list (IN) on my serial interface. In it, all incoming access is allowed from another network (a second office), and general access (from the internet) is allowed only to certain machines in my LAN. Anyway, all is working fine.

My problem is, I can telnet to this ethernet interface from my second office. But I cannot telnet to this interface from anywhere else in the internet. And there is no access-list on vty 0 4. So why is it not allowing me telnet access from the internet?.

My logical conclusion is, since I have an access-list on the serial interface (the interface which connects the network to the internet) which allows full access (telnet etc) only from the 2nd office, it is not allowing me to telnet to the ethernet interface from the internet. The telnet request to the ethernet interface first arrives at the serial interface where it will get rejected. Is this what is really happening?.

If this is the case, what is the purpose of a separate access-list for the ethernet interface? (when the serial int access-list applies here as well)

I thank you in advance for your kind replies.


Re: basic help with access-lists

From what you have described, it sounds like you are able to telnet from your second office because you are allowing incoming access from that network. For example:

10.x.x.x---e0.routerA.s0 ---z--- router -- 20.x.x.x (second office)


\----- internet

On routerA, if you had an acl that permitted all traffic from 20.x.x.x, you would be able to telnet to the ethernet interface from the 20 network. Unless you are specifically permitting users on the internet to telnet into your ethernet interface, this traffic should get dropped (which it sounds like it is). You will need to add a line that says something like:

access-list 199 permit tcp eq 23

The telnet request to your ethernet interface would arrive at the serial interface first, and at that point the inbound acl would be checked. For this scenario, you would not need to apply another acl on the ethernet interface to accomplish what you're trying to do.

VIP Purple

Re: basic help with access-lists

A good tip is to log access list violations. For example, on the bottom of your access-lists, add something like:

access-list xxx deny ip any any log-input

Then when something doesn't work, go have a look in the log (show log). Then you will know if it was an access list or something else causing the problem.