From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Fri Aug 11 2006 - 19:32:25 ART
That would be very good to know,
In our ISP we use on the GSRs ip receive access-list to accomplish this
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
limit/120s/120s22/ft_ipacl.htm
But I do not think this is available on the small routers that we have in
the lab, sop maybe just applying something like
Brian (Dennis | McGahan), do you mind to shed a light here
Thanks
Victor.-
-----Mensaje original-----
De: secondie [mailto:secondie@gmail.com]
Enviado el: Viernes, 11 de Agosto de 2006 06:18 p.m.
Para: Victor Cappuccio
CC: 'ZeroFlash'; 'Patricia Loreal'; 'Cisco certification'
Asunto: Re: Telnet to loopback only
For the sake of seeing why extended ACL would not work, I placed a "deny
any any log" on access class and I noticed following in the debug:
Mar 1 00:30:32.391: %SEC-6-IPACCESSLOGP: list vty-in denied tcp
192.168.1.32(2228) -> 0.0.0.0(23), 1 packet
why is the destination changed from 1.1.1.1 "0.0.0.0"
Another question: Seems like access-class out does not work at all. I
tried placing deny any any, but it had no affect
Any ideas ??
**** Config as below:
ip telnet source-interface Loopback0
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.101 255.255.255.0
duplex auto
speed auto
!
ip access-list extended vty-in
permit tcp any host 1.1.1.1 eq telnet log
deny ip any any log
!
line vty 0 4
access-class vty-in in
password a
login
end
-secondie
Victor Cappuccio wrote:
> Hi Guys,
>
> http://www.groupstudy.com/archives/ccielab/200604/msg01295.html
>
> Zero, that does not seems to be working
>
> -----Mensaje original-----
> De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
> ZeroFlash
> Enviado el: Viernes, 11 de Agosto de 2006 04:13 p.m.
> Para: 'Patricia Loreal'; Cisco certification
> Asunto: RE: Telnet to loopback only
>
> I would actually use an extended ACL stating something like this:
>
> Access-list 100 permit tcp any host 150.1.1.1 eq 23
> Access-list 100 permit tcp any host 150.1.2.2 eq 23
> Access-list 100 permit tcp any host 150.1.3.3 eq 23
>
> line vty 0 4
> access-class 100 in
>
> ZeroFlash
> CCIE #16217
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Patricia Loreal
> Sent: Friday, August 11, 2006 4:03 PM
> To: Cisco certification
> Subject: Telnet to loopback only
>
> Dear Team!
>
> Task says: "make telnet to loopback0 access with privilege 15", Easy
enough
> but IMO there is a catch here The Loopbacks assigned to routers are:
>
> 150.1.1.1/32
> 150.1.2.2/32
> 150.1.3.3/32
>
> Should I permit all loopback address range at line vty in using a standard
> access-list?
>
> access-list 1 permit 150.1.1.1
> access-list 1 permit 150.1.2.2
> access-list 1 permit 150.1.3.3
>
> line vty 0 4
> access-class 1 in
>
> Opinions about this is highly appreciated
>
> Thanks
> Patricia
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART