[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
The telnet packet sourced by router B is not checked against the access list
for outbound. The return packet (from router A) is not sent to the telnet
port on router B, and therefore will not match the deny statement.
To make it work, I think you need to include the telnet port for both source
and destination:
ip access-list extended LAN
deny tcp any any eq telnet
deny tcp any eq telnet any
permit ip any any
Alternatively, apply the same access list to router A.
CM
-----Original Message-----
From: Ednilson Rosa
To: [EMAIL PROTECTED]
Sent: 21/06/01 03:38
Subject: Access-list [7:9292]
Hi Folks,
I have a doubt about access-lists. I have the following topology:
Router A
Ethernet 0
10.0.0.1
|
|
10.0.0.2
FastEth0
Router B
Serial 0.1
192.168.1.1
|
|
192.168.1.2
Serial 0.1
Router C
I wanted to block telnet TO and FROM network 10.0.0.0. I created an
access-list as follows:
ip access-list extended LAN
deny tcp any any eq telnet
permit ip any any
Applied it to Router B on Fast Ethernet 0 interface this way:
interface FastEthernet0
ip access-group LAN in
ip access-group LAN out
Doing this I really blocked telnet from network 10.0.0.0 to routers B
and C.
I also blocked router C from telneting to router A (or any other host on
network 10.0.0.0). But, surprisingly to me, I'm still able to telnet
Router
A from Router B!
My question is: since I blocked telnet traffic on the interface Fast
Ethernet 0 on router B for inbound and outbound, shouldn't this block my
telnets from B to A?? What is missing here?
Thanks in advance!
Ednilson Rosa
CCNA
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9330&t=9292
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]