You can create an extended, named access list with two deny sequences and then ad a permit any any sequence at the end. Once you have done that you can apply it inbound to the router interface you want.
ip access-list extended Marsupilami
deny 5 tcp any any eq telnet
deny 10 (blablabla)
permit 15 (blablabla)
Interface (your interface) ip access-group Marsupilami in end
You can also have a look at the link below which explains everything in detail.
I am not clear what you are trying to achieve. It sort of sounds like if the router had outside interface of FastEth0/0 and inside interface of FastEth0/1 that you want to deny telnet and SSH to the address of FastEth0/0 and permit access to the address of FastEth0/1. If that is the case then a config something like this would do it"
ip address 100.100.100.1 255.255.255.128
ip access-group 151 in
ip address 192.168.100.1 255.255.255.0
ip access-group 151 in
access-list 151 deny tcp any host 100.100.100.1 eq 22
access-list 151 deny tcp any host 100.100.100.1 eq 23
access-list 151 permit ip any any
Note that to be effective this access list needs to be applied to each interface.
But I do not see many people with requirements to restrict access based on destination interface and find that most people have requirements that restrict access based on where the access originates. If that is what you want to achieve than a configuration sort of like this should work
access-list 66 permit 192.168.100.0 0.0.0.255
access-list 66 deny any
line vty 0 4
access-class 66 in
note that this uses a standard access list rather than an extended access list and that the access list is applied to the vty using access-class and not to interfaces using ip access-group.
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
You want to block all telnet or SSH entering the router's outside interface, or just to the outside interface, or just to this router? Also what about telnet or SSH exiting the router's outside interface? You want to block all such traffic, just traffic being source from the outside interface or any traffic sourced from the router?
I want to stop anyone from trying to log into the router from the outside. As it is now someone can ssh into the router from the Internet. As far as I know the router will only be used to send and receive secure web traffic for authenticationg remote users as they set up their 881s via MEVO but, there might be more I am not 100% sure. If secure web is all I need then, maybe I should block everything but secure web. What I definately want to do is stop anyone from attempting an ssh connection through the public address. Kind of inexperianced with security.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...