I would think that is a bug in the 12.0 code. Back in the old days, prior to the "in" keyword option, when applying an "ip access-group" to an interface all access-lists were outgoing only. I can't recall when the in/out keywords came into existance but I'm pretty sure it was 11.something.
Dave "Hire, Ejay" wrote: > > I have more information on this. > > On my 11.0.22 Ios AGS, an inbound access-list has no effect on Telnet > traffic. The access-class has to be applied on the vty 0 x interface. > On the 12.0 Ios 25xx's on r1r2.com, an inbound access-list STOPS Telnet > traffic. (For Both for the interface Ip, and a loopback ip.) > > I am assuming that this is a "feature" that Cisco fixed sometime in the last > 1.5 year. > > -----Original Message----- > From: MADMAN [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 18, 2002 1:05 PM > To: [EMAIL PROTECTED] > Subject: Re: Dening telnet access [7:35628] > > I know it does. I have, even fairly recently, locked myself out of a > router via an inbound access list applied to an interface,DOH:( Try > again and if it doesn't work I would like to see the config. > > Are you sure the interface on which you applied the access list is the > interface you were telneting to/thru?? > > Dave > > Patrick Ramsey wrote: > > > > really? I have had no luck using inbound acl's to control telnet to the > router...I always have to use acc's on the vty's > > > > Is there a trick to this? > > > > -Patrick > > > > >>> MADMAN 02/18/02 12:16PM >>> > > Actually telnet packets are processed by inbound access-list. Now if > > your refering to outbound access-lists then you would be correct. > > > > Dave > > > > "Hire, Ejay" wrote: > > > > > > Because telnet packets destined for the router are not normally > processed > > by > > > access-lists. (i don't understand why not, but hey...) > > > > > > instead do this > > > > > > access-list y deny xx.xx.xx.xx xx.xx.xx.xx > > > > > > line vty 0 n (n = the results of a ?, usually 4) > > > access-class y > > > > > > -----Original Message----- > > > From: McHugh Randy [mailto:[EMAIL PROTECTED]] > > > Sent: Saturday, February 16, 2002 4:49 PM > > > To: [EMAIL PROTECTED] > > > Subject: Dening telnet access [7:35628] > > > > > > Access list problem: > > > > > > Why does this extended access list not work to deny telnet access > applied > > to > > > the internet interface on a 2514? > > > > > > Extended IP access list 199 > > > deny tcp any any eq telnet > > > > > > interface Ethernet0 > > > > > > ip access-group 199 in > > > > > > I have alot more statments than this and of course the statement > > > access-list 199 permit ip any any > > > > > > to take care of the implicit deny all , but I can still access the > router > > > from the internet through telnet. > > > Anyone have any ideas what else might be needed to prevent of selectivly > > > allow telnet access to my router. > > > Thanks, > > > Randy > > -- > > David Madland > > Sr. Network Engineer > > CCIE# 2016 > > Qwest Communications Int. Inc. > > [EMAIL PROTECTED] > > 612-664-3367 > > > > "Emotion should reflect reason not guide it" > > >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files > transmitted with it may contain confidential and /or proprietary information > in the possession of WellStar Health System, Inc. ("WellStar") and is > intended only for the individual or entity to whom addressed. This email > may contain information that is held to be privileged, confidential and > exempt from disclosure under applicable law. If the reader of this message > is not the intended recipient, you are hereby notified that any unauthorized > access, dissemination, distribution or copying of any information from this > email is strictly prohibited, and may subject you to criminal and/or civil > liability. If you have received this email in error, please notify the > sender by reply email and then delete this email and its attachments from > your computer. Thank you. > > > > ================================================================ > > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35766&t=35628 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]