I also note that the 2 lines that we have been discussing:

! return packet for we telnet out

access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15

! allow inboubd telnet service

access-list 165 permit any host 218.x.x.90 eq telnet

are more specific references but are actually redundant when the third line is put into the access list. If you removed those 2 lines from the access list and left only permit ip any 218.x.x.x 0.0.0.255 then everything would work just the same.

HTH

Rick

I am still not clear whether there are any other statements in the access list. If there is not any statement that denies anything and you are going to permit all IP traffic from any source to any address in network 218.x.x then why is there any access list here at all since that would be the behavior with no access list?

I find that it is helpful before configuring an access list to form a clear statement of the expected behavior - what is to be permitted and what is to be denied. I find that this is very helpful in determining what statements to configure and in what order the statements should come. If we had formed such a statement (at least based on what we know so far) the statement would have been that the expected behavior is to permit traffic from any source to any address in 218.x.x. And in fact that behavior would be achieved with no access list at all.

If that is not really the expected behavior then you need to share some additional information about the environment and what the expected behavior is.

HTH

Rick

yes, there are a lot of statments in this ACL. could I have your email addres so that we can send all to you for referenece

If the ACL is

access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15

access-list 165 permit any host 218.x.x.90 eq telnet

access-list 165 permit ip any 218.x.x.16 0.0.0.15

access-list 165 permit ip any 218.x.x.90

does it allow telnet service only? another services (e.g. ssh, smtp..) will be denied by the ACL the last statment "deny any any". Is it right?

Actyually, we would like to allow telnet services only. other services to one particular server will be denied.

To make is simple, if we only allow the telnet in, it has one statement is following

access-list 165 permit any host 218.x.x.90 eq telnet

it is NOT necessary to put

access-list 165 permit ip any 218.x.x.90

is it right?

If so, we need to double check the ACL again. Anyway, thanks for your guidance.

Best regards

If you wish to send something through email to me, my email address is in my NetPro profile. Please note the comment in my profile that if you email something to me the subject line should indicate that is is related to NetPro. Otherwise my spam filter may not allow it through.

I am not sure that I understand well what you are asking in this post. if you have this line:

access-list 165 permit ip any 218.x.x.16 0.0.0.15

then it will permit any IP traffic to that range of destination addresses. This would include services such as ssh, smtp, etc. If you want to deny certain services you either need to have deny statements in the ACL for those services. Or you need to not have the general permit ip any .

I am also a bit confused about using 218.x.x.16 0.0.0.15 which you do in a couple of lines. This implies a subnet with 16 addresses. In other posts you have indicated that it really is a /24 and should be masked that way. Or if the 0.0.0.15 mask is what you really want then the address 218.x.x.90 is outside the address range.

Perhaps you can clarify this a bit?

HTH

Rick

Hi,

I send you email with ful ACL. Thanks

Best regards