Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list for restricting telnet access

Hello,

I'm creating an access list and applying to Switches and Routers for telnet access in my NW.As per requirement, only Network Team hosts only should be able to do the telnet to NW equipments and do the necessary configuration and it should get logged also (both allowed and denied IP addresses). I have created the sample , just want to confirm before applying.

access-list 23 permit 10.1.10.40 log

access-list 23 permit 10.1.10.44 log

access-list 23 permit 10.1.10.46 log

access-list 23 permit 10.1.10.48 log

access-list 23 permit 10.1.10.50 log

access-list 23 permit 10.1.0.106 log

access-list 23 permit 10.1.0.110 log

access-list 23 permit 10.44.20.67 log

access-list 23 permit 10.44.20.65 log

access-list 23 deny any log

Regards,

Raju

3 REPLIES

Re: Access list for restricting telnet access

Hi Raju,

Seems to be ok but you have not defined source-wildcard and also make sure when you apply it on vty lines you configure access class and not access group.

Cause for telnet you need to configure access class and not access group.

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode.

Have a look at this link

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfip1.htm#wp1017389

As per me your access list should look like this

access-list 23 permit host 10.1.10.40 log

and need to be same for all other permit statements

HTH, if yes please rate the post.

Ankur

New Member

Re: Access list for restricting telnet access

Try this configuration

line vty 0 4

access-class 23 in

You can look at log event with command show logging or loot at your sever log with configuration:

logging X.X.X.X (server log ip address)

logging on

please, hope this help and rate this post.

New Member

Re: Access list for restricting telnet access

you could do the following:

access-list 23 permit host 10.1.10.40 log

access-list 23 permit host 10.1.10.44 log

access-list 23 permit host 10.1.10.46 log

access-list 23 permit host 10.1.10.48 log

access-list 23 permit host 10.1.10.50 log

access-list 23 permit host 10.1.0.106 log

access-list 23 permit host 10.1.0.110 log

access-list 23 permit host 10.44.20.67 log

access-list 23 permit host 10.44.20.65 log

access-list 23 deny any log

!

line vty 0 15

access-class 23 in

!

Be sure to use line vty 0 15 and not 0 4.

Hope this help.

jc

351
Views
3
Helpful
3
Replies
CreatePlease login to create content