Because telnet packets destined for the router are not normally processed by
access-lists. (i don't understand why not, but hey...)
instead do this
access-list y deny xx.xx.xx.xx xx.xx.xx.xx
line vty 0 n (n = the results of a ?, usually 4)
access-class y
-Original Message-
From:
Actually telnet packets are processed by inbound access-list. Now if
your refering to outbound access-lists then you would be correct.
Dave
Hire, Ejay wrote:
Because telnet packets destined for the router are not normally processed
by
access-lists. (i don't understand why not, but
really? I have had no luck using inbound acl's to control telnet to the
router...I always have to use acc's on the vty's
Is there a trick to this?
-Patrick
MADMAN 02/18/02 12:16PM
Actually telnet packets are processed by inbound access-list. Now if
your refering to outbound access-lists
I know it does. I have, even fairly recently, locked myself out of a
router via an inbound access list applied to an interface,DOH:( Try
again and if it doesn't work I would like to see the config.
Are you sure the interface on which you applied the access list is the
interface you were
To filter telnet packets to the router it is necessary to apply access
lists to the vty lines with the access-class command.
Kind Regards,
Tim Booth
MCDBA, CCNP, CCDP, CCIE written
-
Those who would give up essential liberty to purchase a little temporary
, and a loopback ip.)
I am assuming that this is a feature that Cisco fixed sometime in the last
1.5 year.
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know it does. I have
-list was
applied to you WOULD get in. Only an access-class applied
To the VTY ports will stop that.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know
Not true, that is a way not the way.
Dave
Tim Booth wrote:
To filter telnet packets to the router it is necessary to apply access
lists to the vty lines with the access-class command.
Kind Regards,
Tim Booth
MCDBA, CCNP, CCDP, CCIE written
-
[mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know it does. I have, even fairly recently, locked myself out of a
router
via an inbound access list applied to an interface,DOH:( Try again and if
it doesn't
for the interface Ip, and a loopback ip.)
I am assuming that this is a feature that Cisco fixed sometime in the
last
1.5 year.
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7
o:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know it does. I have, even fairly recently, locked myself out of a
router
via an inbound access list applied to an interface,DOH:( Try again and
if
it
that.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know it does. I have, even fairly recently, locked myself out of a router
via an inbound access
was
applied to you WOULD get in. Only an access-class applied
To the VTY ports will stop that.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know
on the 172.28.64.11 subnet and show me this getting
dropped.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 3:21 PM
To: Roberts, Larry
Cc: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
Not in my world:
interface
ill stop that.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know it does. I have, even fairly recently, locked myself out of a
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know it does. I have, even fairly recently, locked myself out of a
router
via an inbound access list
dropped.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 3:21 PM
To: Roberts, Larry
Cc: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
Not in my world:
interface Ethernet4/0/0
bandwidth 1000
ip address
machine on the 172.28.64.11 subnet and show me this getting
dropped.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 3:21 PM
To: Roberts, Larry
Cc: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628
, not always the right way.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 4:42 PM
To: Roberts, Larry
Cc: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
Heres the proof:
interface FastEthernet0/0
ip address
ROTECTED]]
Sent: Monday, February 18, 2002 4:42 PM
To: Roberts, Larry
Cc: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
Heres the proof:
interface FastEthernet0/0
ip address 172.28.64.28 255.255.255.192
ip access-group 150 in
ip directed-broadcast
duplex auto
sp
-
From: Roberts, Larry
To:
Sent: Monday, February 18, 2002 9:00 PM
Subject: RE: Dening telnet access [7:35628]
And for reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
as_r/1rfip1.htm#xtocid1
Note that your source address is NOT on the same Ethernet subnet
Not sure of your network topology but it looks as if all you have done is to
prevent users on the ethernet interface from using telnet. You can apply an
'access-class' (which works identically to access-group on a physical
interface) to your vty lines to restrict telnet access from outside into
Are you wanting to deny telnet through the router, or to the router?
If you are wanting to deny access to the router,
You should create a standard access-list and apply that to the vty
interfaces.
Access-list 10 deny any
Line vty 0 4
access-class 10 in
Thanks
Larry
-Original
if your internet connection is via ether0, this would work, but if it is
via serial, you want it inbound on the net connected serial int.
Brian
On Sat, 16 Feb 2002, McHugh Randy wrote:
Access list problem:
Why does this extended access list not work to deny telnet access applied
to
24 matches
Mail list logo