From: James Ventre (messageboard@ventrefamily.com)
Date: Fri May 27 2005 - 10:06:42 GMT-3
I typically use standard ACL's for an Access Class .... and use it in
conjunction with
"transport input telnet ssh" to restrict it to telnet and ssh on the router.
Here is what's wrong with yours:
/
access-list 100 permit tcp host 10.2.1.2 eq telnet any/
It's looking for your host of 10.2.1.2 to leave on port TCP/23 ... not
connect to TCP/23. You'll be leaving on an ephemeral port. Try swapping
your "eq telnet" and "any".//
James
Looking to be CCIE wrote:
>Feeling Stupid... I was trying to put an access list on the VTY ports to
>limit telnet to a specific host, but could not get it to work with a simple
>one line list. Am I missing something here.... Just a serial connection
>between the routers. Config Below..... I checked telnet before applying
>access-list and it would work fine. After applying list I would just get a
>connection refused message.
>
>Note: If I put a three line list on it would work,
>(access-list 100 permit tcp host 10.2.1.2 eq telnet any
>access-list 100 deny tcp any eq telnet any
>access-list 100 permit ip any any)
>
>
>
>r7# (Router that has access list)
>
>
>interface Serial0/1
> ip address 10.2.1.1 255.255.255.0
>!
>!
>access-list 100 permit tcp host 10.2.1.2 eq telnet any
>!
>mgcp profile default
>!
>dial-peer cor custom
>!
>!
>!
>!
>line con 0
>line aux 0
>line vty 0 4
> access-class 100 in
> password cisco
> login
>!
>!
>end
>
># (Router that I am accessing first router from)
>
>interface Serial0/1
> ip address 10.2.1.2 255.255.255.0
> clockrate 64000
>!
>!
>ip classless
>!!
>line con 0
>line aux 0
>line vty 0 4
>!
>!
>end
>
>Router#
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3