From: Ramiro Garza (ccie15xxx@gmail.com)
Date: Fri Jan 20 2006 - 23:36:40 GMT-3
> You could apply the following access list as an input access-list
>
> access-list 100 deny tcp any eq telnet any
> access-list 100 permit ip any any
>
> It will allow the telnet packets to go out of the router but not to come
> back in.
>
> HTH,
> Ramiro G.
>
>
> On 1/20/06, Jvrg Buesink <buesink@fma.nl> wrote:
> >
> > It's possible on a 12000 series router (ip receive ACL).
> > But I don't think you'll find 12000's on the lab ;-)
> >
> >
> > Met vriendelijke groet/ with kind regards,
> >
> > Jvrg Buesink
> > CCIE#15032
> >
> >
> >
> >
> > ________________________________
> >
> > Van: nobody@groupstudy.com namens Gustavo Novais
> > Verzonden: vr 20-1-2006 15:22
> > Aan: Popgeorgiev Nikolay; ccielab@groupstudy.com
> > Onderwerp: RE: Deny traffic from router itself
> >
> >
> >
> > Yes it does :) You probably weren't doing the test from a vty. Try
> > applying it to line con 0 also.
> >
> > User Access Verification
> >
> > Password:
> > Password:
> > Rack1R3>ena
> > Password:
> > Rack1R3#telnet 183.1.0.4
> > Trying 183.1.0.4 ...
> > % Connections to that host not permitted from this terminal
> > Rack1R3#ping 183.1.0.4
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 183.1.0.4, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms
> > Rack1R3#sh run | b line
> > line con 0
> > exec-timeout 0 0
> > privilege level 15
> > logging synchronous
> > line aux 0
> > exec-timeout 0 0
> > privilege level 15
> > line vty 0 4
> > access-class 23 out
> > password cisco
> > login
> > line vty 5
> > access-class 23 out
> > login
> > !
> > !
> > end
> >
> > Rack1R3#sh access-list 23
> > Standard IP access list 23
> > 10 deny 183.1.0.4 (1 match)
> > 20 permit any
> > Rack1R3#
> >
> > Gustavo Novais
> >
> >
> >
> > -----Original Message-----
> > From: Popgeorgiev Nikolay [mailto: nikolay.popgeorgiev@siemens.com]
> > Sent: sexta-feira, 20 de Janeiro de 2006 13:54
> > To: Gustavo Novais; Popgeorgiev Nikolay; ccielab@groupstudy.com
> > Subject: RE: Deny traffic from router itself
> >
> >
> > Gustavo,
> >
> > I already tried this it doesn't work
> >
> > Nick
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Gustavo Novais [mailto: gustavo.novais@novabase.pt]
> > Sent: Friday, January 20, 2006 3:40 PM
> > To: Popgeorgiev Nikolay; ccielab@groupstudy.com
> > Subject: RE: Deny traffic from router itself
> >
> > You can try an access-class out, on the line vty's. that will limit the
> > destinations to where you may telnet.
> >
> > Gustavo Novais
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf Of
> > Popgeorgiev Nikolay
> > Sent: sexta-feira, 20 de Janeiro de 2006 12:59
> > To: ccielab@groupstudy.com
> > Subject: Deny traffic from router itself
> >
> > Hello people,
> >
> > I have a question is it possible with a ACL to deny packets from a
> > router itself.For example I want to stop a user connected to the router
> > from making telnet to another router ? But not with transport output
> > command on the line interface, and without a route-map
> >
> >
> > thanks !
> >
> > best,
> > Nick
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:50 GMT-3