Re: Access-class

From: Georg Pauwen (pauwen@hotmail.com)
Date: Sun Jul 25 2004 - 12:11:02 GMT-3

• Next message: Felice Russell: "RE: BGP regexp vs quote-regexp"
• Previous message: Felice Russell: "RE: BGP regexp vs quote-regexp"
• Maybe in reply to: Rohan Grover: "Access-class"
• Next in thread: Koen Peetermans: "RE: Access-class"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

this works indeed, but the access list 100 proposed by Rohan should work as
well. It doesn4t, does anybody know why ?

access-list 100 permit tcp host 1.0.0.1 host 1.0.0.2 eq telnet

looks perfectly allright to me...

Regards,

Georg

>From: "Daniel Sheedy" <dansheedy@gmx.net>
>Reply-To: "Daniel Sheedy" <dansheedy@gmx.net>
>To: "Rohan Grover" <rohang@cisco.com>
>CC: <ccielab@groupstudy.com>
>Subject: Re: Access-class
>Date: Sun, 25 Jul 2004 13:27:09 +0200
>
>Hi Rohan,
>
>What if change it to a standard access list?
>
>access 1 permit 1.0.0.1 0.0.0.0
>
>You really dont care where it is going... because you are at the
>destination
>where you wish to test the little blighter, to see if it is allowed in or
>not.
>So, you only need to see that it originated from the right place.
>If it was a packet on its way to somewhere else, then maybe you would check
>the source AND the destination. But thats another story, and not important
>for here.
>
>Then apply this on the line 0 4.
>
>access-class 1 in
>
>Then, dont forget, if R1 has multiple ways to get to R2, go over to R1 and
>set the source interface for the telnet, so you are not having to put
>multiple permit lines on R2.
>
>ip telnet source-interface lo0
>
>or whatever interface grabs your fancy.
>
>Cheers
>
>Dan Sheedy
>
>
>----- Original Message -----
>From: "Rohan Grover" <rohang@cisco.com>
>To: <ccielab@groupstudy.com>
>Sent: Sunday, July 25, 2004 11:36 AM
>Subject: Access-class
>
>
> > Hi,
> >
> > This is a really simple scenario but for some reason I'm unable to get
>it
>to work!!
> >
> > R1 ----------- R2
> > 1.0.0.1 1.0.0.2
> >
> > All I want to do is deny telnet access on R2 to everyone except from
>1.0.0.1(R1) to 1.0.0.2(R2).
> >
> > So I use access list
> >
> > 'access-list 100 permit tcp host 1.0.0.1 host 1.0.0.2 eq telnet'
> >
> > And apply it on vty 0 4 of R2 as 'access-class 100 in'
> >
> > I see that this blocks ALL telnet access.
> >
> > If I change the access-list to
> >
> > 'access-list 100 permit tcp host 1.0.0.1 any eq telnet' , then it allows
>telnet access only from 1.0.0.1 to any interface on R2,
> > which is not what I want.
> >
> > Is there anything I'm missing regarding use of access-class? Some
>restriction on destination host?
> >
> > Thanks
> > Rohan
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Felice Russell: "RE: BGP regexp vs quote-regexp"
• Previous message: Felice Russell: "RE: BGP regexp vs quote-regexp"
• Maybe in reply to: Rohan Grover: "Access-class"
• Next in thread: Koen Peetermans: "RE: Access-class"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:02 GMT-3