Access- List line vty 0 4

Discussion in 'Cisco' started by mpeterson711@comcast.net, Jun 13, 2005.

  1. Guest

    Hi
    I have a strange problem with an Access list.
    I am using a Cisco 1751 router with 12.1 ios
    My problem is that as soon as I apply the access-list to restrict
    telnet access it is denying all access to telnet regardless of the
    permit command. I can ping, the device no problem. I am accessing the
    device from 192.168.10.11 this should allow me and any device specified
    in the list to telnet, correct?

    access-list 91 permit 192.168.10.11
    access-list 91 permit 192.168.10.12
    access-list 91 permit 192.168.10.13
    access-list 91 permit 192.168.10.14
    access-list 91 permit 192.168.10.15


    line vty 0 4
    access-class 91 in
    privilege level 2
    password xxxxxxxxxxxxxx
    login

    end

    any help would be appreciated.
    , Jun 13, 2005
    #1
    1. Advertising

  2. Juan Carlos Guest

    Hi,
    Can you answer the following:

    - Where is the host (192.168.10.11) ? in you network?
    - dou you test the extended ping of your router?
    - You say: I can Ping.... so... the icmp packet is analized in phisical
    interfaces... no in vty interfaces..........remember: is a standar acl
    (no upper - protocols )

    Please give me more information.

    Regards
    Juan Carlos Spichiger
    Juan Carlos, Jun 14, 2005
    #2
    1. Advertising

  3. Guest

    The address 192.168.10.11 is located on the LAN.
    This router is located in our DMZ, the address of the DMZ is
    172.16.10.x
    All access through the vty is denied while this access list is in
    place.
    What other information will help.

    Juan Carlos wrote:
    > Hi,
    > Can you answer the following:
    >
    > - Where is the host (192.168.10.11) ? in you network?
    > - dou you test the extended ping of your router?
    > - You say: I can Ping.... so... the icmp packet is analized in phisical
    > interfaces... no in vty interfaces..........remember: is a standar acl
    > (no upper - protocols )
    >
    > Please give me more information.
    >
    > Regards
    > Juan Carlos Spichiger
    , Jun 14, 2005
    #3
  4. In article <>,
    wrote:

    > The address 192.168.10.11 is located on the LAN.
    > This router is located in our DMZ, the address of the DMZ is
    > 172.16.10.x
    > All access through the vty is denied while this access list is in
    > place.
    > What other information will help.


    Is there any NAT being done? Maybe the router is seeing a translated
    address rather than the original 192.168.10.11 address.

    There's probably a debugging option you can enable that will log a
    message when the vty is refusing a telnet, but I don't know what it is
    offhand.

    >
    > Juan Carlos wrote:
    > > Hi,
    > > Can you answer the following:
    > >
    > > - Where is the host (192.168.10.11) ? in you network?
    > > - dou you test the extended ping of your router?
    > > - You say: I can Ping.... so... the icmp packet is analized in phisical
    > > interfaces... no in vty interfaces..........remember: is a standar acl
    > > (no upper - protocols )
    > >
    > > Please give me more information.
    > >
    > > Regards
    > > Juan Carlos Spichiger


    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Jun 14, 2005
    #4
  5. Juan Carlos Guest

    Please

    give more information.

    post the running-config...... without the passworf, off course.

    regards
    Juan Carlos
    Juan Carlos, Jun 14, 2005
    #5
  6. Guest

    Building configuration...

    Current configuration : 1132 bytes
    !
    version 12.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname
    !
    boot-start-marker
    boot-end-marker
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    !
    !
    !
    !
    ip cef
    no ip domain lookup
    !
    !
    !
    !
    interface FastEthernet0/0
    description Connected to DMZ
    ip address 172.16.10.110 255.255.0.0
    speed auto
    !
    interface Serial0/0
    description Connected Not configured
    ip address
    encapsulation frame-relay IETF
    no fair-queue
    service-module t1 remote-alarm-enable
    frame-relay interface-dlci 16
    !
    ip classless
    ip route 172.16.10.21 255.255.255.255 172.16.10.1
    no ip http server
    !
    !
    access-list 91 permit 192.168.10.11
    access-list 91 permit 192.168.10.12
    access-list 91 permit 192.168.10.13
    access-list 91 permit 192.168.10.14
    access-list 91 permit 192.168.10.15
    snmp-server community public RO
    snmp-server enable traps tty
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    access-class 91 in
    privilege level 2

    login
    !
    end


    Juan Carlos wrote:
    > Please
    >
    > give more information.
    >
    > post the running-config...... without the passworf, off course.
    >
    > regards
    > Juan Carlos
    , Jun 14, 2005
    #6
  7. Guest

    Building configuration...

    Current configuration : 1132 bytes
    !
    version 12.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname
    !
    boot-start-marker
    boot-end-marker
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    !
    !
    !
    !
    ip cef
    no ip domain lookup
    !
    !
    !
    !
    interface FastEthernet0/0
    description Connected to DMZ
    ip address 172.16.10.110 255.255.0.0
    speed auto
    !
    interface Serial0/0
    description Connected Not configured
    ip address
    encapsulation frame-relay IETF
    no fair-queue
    service-module t1 remote-alarm-enable
    frame-relay interface-dlci 16
    !
    ip classless
    ip route 172.16.10.21 255.255.255.255 172.16.10.1
    no ip http server
    !
    !
    access-list 91 permit 192.168.10.11
    access-list 91 permit 192.168.10.12
    access-list 91 permit 192.168.10.13
    access-list 91 permit 192.168.10.14
    access-list 91 permit 192.168.10.15
    snmp-server community public RO
    snmp-server enable traps tty
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    access-class 91 in
    privilege level 2

    login
    !
    end


    Juan Carlos wrote:
    > Please
    >
    > give more information.
    >
    > post the running-config...... without the passworf, off course.
    >
    > regards
    > Juan Carlos
    , Jun 14, 2005
    #7
  8. Juan Carlos Guest

    Do you have NAT? in the other side?

    use the traceroute command but the other router and check the trace.

    regards
    Juan Carlos, Jun 17, 2005
    #8
  9. Hi,

    schrieb:

    > !
    > interface FastEthernet0/0
    > description Connected to DMZ
    > ip address 172.16.10.110 255.255.0.0
    > speed auto

    so, this is the DMZ, right?
    > !
    > interface Serial0/0
    > description Connected Not configured
    > ip address
    > encapsulation frame-relay IETF
    > no fair-queue
    > service-module t1 remote-alarm-enable
    > frame-relay interface-dlci 16


    Where does the Serial0/0 point to? Towards the external net or towards
    the internal net?
    > !
    > ip classless
    > ip route 172.16.10.21 255.255.255.255 172.16.10.1

    Huh? You mean, that to reach ONE address inside the dmz-addressrange
    (172.16.0.0/16) the packet should be sent to ANOTHER address in that range?
    Well, strange, me thinks.

    Anyway. I do not see ANY route towards 192.168.10.x nor do I see a way
    towards the internal network.
    Could it be, that the dmz is connected via a firewall which is, by
    default doing NAT (as the use of private addressing implies)?

    Please, remove the accdess-list, enable the proper debugging for telnet
    access and THEN do the telnet.
    What source-address do you see then?
    Alternativly:
    the last access-list statement should be
    access-list 91 deny any log

    Apply that one and have a look at the log-statements. They show the
    source-IP as well
    Mathias
    > no ip http server
    > !
    > !
    > access-list 91 permit 192.168.10.11
    > access-list 91 permit 192.168.10.12
    > access-list 91 permit 192.168.10.13
    > access-list 91 permit 192.168.10.14
    > access-list 91 permit 192.168.10.15
    > snmp-server community public RO
    > snmp-server enable traps tty
    > !
    > control-plane
    > !
    > !
    > line con 0
    > line aux 0
    > line vty 0 4
    > access-class 91 in
    > privilege level 2
    >
    > login
    > !
    > end
    >
    >
    > Juan Carlos wrote:
    >
    >>Please
    >>
    >>give more information.
    >>
    >>post the running-config...... without the passworf, off course.
    >>
    >>regards
    >>Juan Carlos

    >
    >


    --
    CCIE #11220
    Everything written is MY opinion only, not the one of my company or
    employer unless otherwise noted

    The early bird gets the worm, but the second mouse gets the cheese

    My signature is certified by Fraunhofer Society.
    The root-ca IS trusted but the browser-manufacturers want big $ to have
    it included
    Mathias Gaertner, Jun 22, 2005
    #9
  10. In article <d9b3v7$sma$-darmstadt.de>,
    Mathias Gaertner <> wrote:

    > Hi,
    >
    > schrieb:
    >
    > > !
    > > interface FastEthernet0/0
    > > description Connected to DMZ
    > > ip address 172.16.10.110 255.255.0.0
    > > speed auto

    > so, this is the DMZ, right?
    > > !
    > > interface Serial0/0
    > > description Connected Not configured
    > > ip address
    > > encapsulation frame-relay IETF
    > > no fair-queue
    > > service-module t1 remote-alarm-enable
    > > frame-relay interface-dlci 16

    >
    > Where does the Serial0/0 point to? Towards the external net or towards
    > the internal net?
    > > !
    > > ip classless
    > > ip route 172.16.10.21 255.255.255.255 172.16.10.1

    > Huh? You mean, that to reach ONE address inside the dmz-addressrange
    > (172.16.0.0/16) the packet should be sent to ANOTHER address in that range?
    > Well, strange, me thinks.


    I've done this when 172.16.10.1 is a firewall with a redirect for
    172.16.10.21, and for some reason it wasn't properly proxy-ARPing for
    the redirected address. You could also configure a static ARP entry,
    but IP addresses tend to be more stable than MAC addresses.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Jun 22, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PS2 gamer
    Replies:
    6
    Views:
    6,674
    Hansang Bae
    Jun 9, 2004
  2. Greg
    Replies:
    2
    Views:
    635
    White Sheep
    Sep 13, 2004
  3. AM

    line vty password.

    AM, Jan 7, 2005, in forum: Cisco
    Replies:
    3
    Views:
    11,520
  4. AM
    Replies:
    1
    Views:
    1,934
    Aaron Leonard
    May 20, 2005
  5. ELR
    Replies:
    4
    Views:
    15,258
Loading...

Share This Page