From: chrlewis@cisco.com
Date: Fri Sep 16 2005 - 14:24:11 GMT-3
Hi Brian,
This caught my interest so I tried it.
My solution is to apply access-list 100 inbound on the physical
interface
access-list 100 permit tcp any host 2.2.2.2 eq telnet
access-list 100 deny tcp any any eq telnet
access-list 100 permit icmp any any
It seems to meet the requirements, but I'd have to add permit routing
protocol traffic as well for it to work in a lab. Is there a more
elegant way?
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Friday, September 16, 2005 11:52 AM
To: Imal kalutotage; Godswill Oletu
Cc: Cisco certification
Subject: RE: Telnet access into loopback
Turn on logging for the access-list and look to see that the access-list
is denying.
Switch#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Connection refused by remote host
Switch#
Rack4AS>1
[Resuming connection 1 to r1 ... ]
*
Rack4R1#
Rack4R1#sho run int lo 0
Building configuration...
Current configuration : 62 bytes
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
end
Rack4R1#
Rack4R1#sho run | be vty
line vty 0 4
access-class 100 in
password cisco
login
!
!
end
Rack4R1#
Rack4R1#sho ip access-list
Extended IP access list 100
10 permit ip any host 10.1.1.1
20 deny ip any any log (2 matches)
Rack4R1#sho log
<snip>
%SEC-6-IPACCESSLOGP: list 100 denied tcp 172.16.1.2(11004) ->
0.0.0.0(23), 1 packet
<snip>
Rack4R1#
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Imal kalutotage
Sent: Friday, September 16, 2005 4:57 AM
To: Godswill Oletu
Cc: Cisco certification
Subject: Re: Telnet access into loopback
Hi god
When I remove the list it allows me to telnet..
This is very strange & this is not the 1st time I faced this issue..
Cheers
Imal
On 9/16/05, Godswill Oletu <oletu@inbox.lv> wrote:
>
> When you remove the "access-class 111 in" command can you telnet into
the
> router using the loopback interface ip address?
>
>
> ----- Original Message -----
> From: "Imal kalutotage" <imal.kalutotage@gmail.com>
> To: "Cisco certification" <ccielab@groupstudy.com>
> Sent: Friday, September 16, 2005 7:23 AM
> Subject: Telnet access into loopback
>
>
> > Hi Group
> > Here is the task
> > Only allow telnet access in to the loop back 0 of the router..
> > It seems very simple but does not work for me.
> > I donot know whether this is bug or Am I mising something here.
> > Also command ref says access-class work normly with standard
> access-lists
> > Ok but with standard access lists we cannot match the our loopback
ip,
> > becasuse it is the destination ip of the incomung telnet session.
> > One option is to apply the access group in the incoming serial
> interface.
> > this is my config & when u do this it is not allowing telnet to any
> > interface.
> > int loop0
> > ip add 1.1.5.5 <http://1.1.5.5> <http://1.1.5.5>
255.255.255.255<http://255.255.255.255><
> http://255.255.255.255>
> > access-list 111 permit ip any host 1.1.5.5 <http://1.1.5.5> <
> http://1.1.5.5>
> > line vty 0 4
> > access-class 111 in
> > privilege level 15
> > password cisco
> > login
> >
> >
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3