From: Venkataramanaiah.R (vramanaiah@gmail.com)
Date: Sat Sep 17 2005 - 10:57:33 GMT-3
Chris, Why can't you do just this?
access-list 100 permit tcp any host 2.2.2.2 <http://2.2.2.2> eq telnet
access-list 100 deny tcp any otheri/f(s) eq telnet
access-list 100 permit ip any any
But this solution doesn't look elegant still...
-Venkat
On 9/16/05, chrlewis@cisco.com <chrlewis@cisco.com> wrote:
>
> Hi Brian,
>
> This caught my interest so I tried it.
>
> My solution is to apply access-list 100 inbound on the physical
> interface
>
> access-list 100 permit tcp any host 2.2.2.2 <http://2.2.2.2> eq telnet
> access-list 100 deny tcp any any eq telnet
> access-list 100 permit icmp any any
>
> It seems to meet the requirements, but I'd have to add permit routing
> protocol traffic as well for it to work in a lab. Is there a more
> elegant way?
>
> Chris
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brian Dennis
> Sent: Friday, September 16, 2005 11:52 AM
> To: Imal kalutotage; Godswill Oletu
> Cc: Cisco certification
> Subject: RE: Telnet access into loopback
>
> Turn on logging for the access-list and look to see that the access-list
> is denying.
>
> Switch#telnet 10.1.1.1 <http://10.1.1.1>
> Trying 10.1.1.1 <http://10.1.1.1> ...
> % Connection refused by remote host
>
> Switch#
> Rack4AS>1
> [Resuming connection 1 to r1 ... ]
>
> *
> Rack4R1#
> Rack4R1#sho run int lo 0
> Building configuration...
>
> Current configuration : 62 bytes
> !
> interface Loopback0
> ip address 10.1.1.1 <http://10.1.1.1> 255.255.255.0 <http://255.255.255.0>
> end
>
> Rack4R1#
> Rack4R1#sho run | be vty
> line vty 0 4
> access-class 100 in
> password cisco
> login
> !
> !
> end
>
> Rack4R1#
> Rack4R1#sho ip access-list
> Extended IP access list 100
> 10 permit ip any host 10.1.1.1 <http://10.1.1.1>
> 20 deny ip any any log (2 matches)
> Rack4R1#sho log
> <snip>
>
> %SEC-6-IPACCESSLOGP: list 100 denied tcp 172.16.1.2(11004) ->
> 0.0.0.0(23), 1 packet
>
> <snip>
>
> Rack4R1#
>
>
> HTH,
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Imal kalutotage
> Sent: Friday, September 16, 2005 4:57 AM
> To: Godswill Oletu
> Cc: Cisco certification
> Subject: Re: Telnet access into loopback
>
> Hi god
> When I remove the list it allows me to telnet..
> This is very strange & this is not the 1st time I faced this issue..
> Cheers
> Imal
>
> On 9/16/05, Godswill Oletu <oletu@inbox.lv> wrote:
> >
> > When you remove the "access-class 111 in" command can you telnet into
> the
> > router using the loopback interface ip address?
> >
> >
> > ----- Original Message -----
> > From: "Imal kalutotage" <imal.kalutotage@gmail.com>
> > To: "Cisco certification" <ccielab@groupstudy.com>
> > Sent: Friday, September 16, 2005 7:23 AM
> > Subject: Telnet access into loopback
> >
> >
> > > Hi Group
> > > Here is the task
> > > Only allow telnet access in to the loop back 0 of the router..
> > > It seems very simple but does not work for me.
> > > I donot know whether this is bug or Am I mising something here.
> > > Also command ref says access-class work normly with standard
> > access-lists
> > > Ok but with standard access lists we cannot match the our loopback
> ip,
> > > becasuse it is the destination ip of the incomung telnet session.
> > > One option is to apply the access group in the incoming serial
> > interface.
> > > this is my config & when u do this it is not allowing telnet to any
> > > interface.
> > > int loop0
> > > ip add 1.1.5.5 <http://1.1.5.5> <http://1.1.5.5> <http://1.1.5.5>
> 255.255.255.255 <http://255.255.255.255><http://255.255.255.255><
> > http://255.255.255.255>
> > > access-list 111 permit ip any host 1.1.5.5 <http://1.1.5.5> <
> http://1.1.5.5> <
> > http://1.1.5.5>
> > > line vty 0 4
> > > access-class 111 in
> > > privilege level 15
> > > password cisco
> > > login
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3