I have a 1721 that i use for an interet router. I dont want to allow telnet access or to be able to ping the interface. Is this the right config> and if so where do i add the access list? to the serial Interface?
I have looked at the config that you posted and I have a couple of comments which may help provide the answer that you want.
I see that your default route points out the FastEthernet interface which implies that it is the Internet facing interface. Is that true? If so you would most likely want to assign the access list to the Fast Ethernet interface.
What would be the result if someone telnetted to 220.127.116.11?
I might suggest a different approach to solving the issue of telnet. Instead of an access list on an interface to control telnet you might consider using the access-class on the vty ports to control it. You could create an access list which permits the addresses (or address ranges) which you do want to be able to telnet and implicitly deny everyone else and apply that access list with access-class. Then it does not matter which interface the request comes in and does not matter what address they are telnetting to. It only matters if the source address is permitted to telnet to this router.
And there is another possible alternative to consider. Do you want people to be able to telnet to the router at all? Many enterprises will disable telnet to the Internet edge router. You can force access to the router to be via the console by configuring no exec on each of the vty ports if you just do not want telnet to the router at all.
Your on the right road.. Do you want to defend your network behind interface S0 or just the router for telnet access? If it's the router you need this command to attach an access list to vty0 4(telnet access).
line vty 0 4
access-class 101 in
transport input telnet
transport output all
access-list 101 permit tcp host WW.XX.YY.ZZ any eq telnet
access-list 101 deny ip any any
This should prevent access by telnet from any hosts except ones you specify. I.e WW.XX.YY.ZZ
Also, You may want to add this line to your access list to stop people pinging the S0 also.
access-list 102 deny icmp any host 18.104.22.168
access-list 102 deny icmp any host 22.214.171.124
access-list 102 permit ip any any
Then apply it to the S0 interface:
router#(config-if)ip access-group 102 in
The above should stop people pinging/telneting to the router. However,
I seriously recommend using a Firewall&NAT'd config on your router... If you dont already have a stand alone device that is? If you don't have too much experience you could use the routers web gui. If your router and IOS version isnt too old. There is plenty of info on CCO regarding NAT&Firewall setups.
type router#(config)ip http server
Now just web browse to the routers ip address... Don't forget that if you leave this function turned on you'll need to lock it down in your access-list 101 also.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...