Hi Dennis!
In fact I suspected from this before. But I have not seen on any book that
access-lists don't filter packets originated on the router itself. I may
have not looked very well but maybe this should be better emphasized on
books, since their approach may lead to this kind of misunderstanding.
Access-class is really the solution for this case but I think it must be
also applied for the console and aux ports, which could also be used to
telnet to Network A.
Thanks for your reply!
ER
CCNA
----- Original Message -----
From: "Dennis Griffin"
To:
Sent: Friday, June 22, 2001 12:02 PM
Subject: RE: Access-list [7:9292]
Last comment, now that I have finished the lawn and re-read the complete
question:
I sent this to one of the respondents earlier and thought I might complete
the circle here. The issue was that telnet worked from Router B into the
10.0.0.0 network. As cheekin states correctly, ACLs will not inspect
packets generated ON Router B, only packets travelling through the router,
so telnet FROM Router B is possible. To prevent this, you must use the vty
filter (and obviously then control administrative access to Router B).
Commands are entered on Router B:
To prevent telnet FROM Router B into the 10.0.0.0 network:
access-list 10 deny 10.0.0.0 0.255.255.255
line vty 0 4
access-class 10 OUT (inspects destination IP address)
To prevent telnet INTO Router B:
access-list 10 deny 10.0.0.0 0.255.255.255
line vty 0 4
access-class 10 IN (inspects source IP address)
Last comment: VTY filter should be applied consistently to ALL vty lines
configured (5 is default). If you have 10 lines, then apply to line vty 0
9.
Cheers...
Dennis
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9538&t=9292
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
