access list problem

Discussion in 'Cisco' started by tony, Aug 25, 2006.

  1. tony

    tony Guest

    i am trying to restrict telnet to a switch from one host only

    so I did

    access-list 1 permit host 10.10.10.5

    line vty 0 4
    access-class 1 in

    but another host on the 10.10.10.x net can still telnet to the switch

    What is wrong?
     
    tony, Aug 25, 2006
    #1
    1. Advertisements

  2. tony

    Doan Guest

    What does a "show line" say?

    Doan
     
    Doan, Aug 25, 2006
    #2
    1. Advertisements

  3. tony

    tony Guest

    Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
    Int
    0 CTY - - - - - 0 0
    0 -
    * 1 VTY - - - - 1 15 0
    0 -
    2 VTY - - - - 1 4 0
    0 -
    3 VTY - - - - 1 0 0
    0 -
    4 VTY - - - - 1 0 0
    0 -
    5 VTY - - - - 1 0 0
    0 -
    6 VTY - - - - - 0 0
    0 -
    7 VTY - - - - - 0 0
    0 -
    8 VTY - - - - - 0 0
    0 -
    9 VTY - - - - - 0 0
    0 -
    10 VTY - - - - - 0 0
    0 -
    11 VTY - - - - - 0 0
    0 -
    12 VTY - - - - - 0 0
    0 -
    13 VTY - - - - - 0 0
    0 -
    14 VTY - - - - - 0 0
    0 -
    15 VTY - - - - - 0 0
    0 -
    16 VTY - - - - - 0 0
    0 -
     
    tony, Aug 25, 2006
    #3
  4. tony

    Doan Guest

    There is your problem. You have more than 5 VTY lines!
    Try vty 0 16
    access-class 1 in

    Doan
     
    Doan, Aug 25, 2006
    #4
  5. tony

    tony Guest

    Its still does not work

    Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
    Int
    0 CTY - - - - - 0 0
    0 -
    * 1 VTY - - - - 1 16 0
    0 -
    * 2 VTY - - - - 1 7 0
    0 -
    3 VTY - - - - 1 0 0
    0 -
    4 VTY - - - - 1 0 0
    0 -
    5 VTY - - - - 1 0 0
    0 -
    6 VTY - - - - 1 0 0
    0 -
    7 VTY - - - - 1 0 0
    0 -
    8 VTY - - - - 1 0 0
    0 -
    9 VTY - - - - 1 0 0
    0 -
    10 VTY - - - - 1 0 0
    0 -
    11 VTY - - - - 1 0 0
    0 -
    12 VTY - - - - 1 0 0
    0 -
    13 VTY - - - - 1 0 0
    0 -
    14 VTY - - - - 1 0 0
    0 -
    15 VTY - - - - 1 0 0
    0 -
    16 VTY - - - - 1 0 0
    0 -
     
    tony, Aug 25, 2006
    #5
  6. tony

    Doan Guest

    Can you do a "show access-list 1"?

    Doan


     
    Doan, Aug 26, 2006
    #6
  7. tony

    Hansang Bae Guest

    can you even use access-class on a switch???

    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Aug 26, 2006
    #7
  8. tony

    chris Guest

    Yes. All of my switches use an access class on the vty lines.

    Chris.
     
    chris, Aug 26, 2006
    #8
  9. tony

    The Dude Guest

    I am sorry, I am not following here: you are trying to restrict with the
    command "permit"
    and I also do not see the command deny tcp eq 23 (telnet) ....

    The Dude
     
    The Dude, Aug 26, 2006
    #9
  10. tony

    Doan Guest

    So when you telnet'd in from other machines, which vty line did it come
    in on (the vty line that has *)? Also, is there any other entries in
    you access-list 1?

    Doan
     
    Doan, Aug 26, 2006
    #10
  11. tony

    Doan Guest

    He is permitting one host, the implicit deny at the end of every
    access-list will deny the rest. He is using standard access-list (1-99),
    not extended access-list.

    Doan
     
    Doan, Aug 26, 2006
    #11
  12. tony

    The Dude Guest

    Ooops, "telnet" got stuck in my mind and missed 1 in access-list 1
    Thanks for the feedback!

    The Dude
     
    The Dude, Aug 27, 2006
    #12
  13. tony

    Guest Guest

    Your switch may have vty 0 15 defined. You should check this.
    And probably you the restriction only to the first 5 vty's


    FW
     
    Guest, Aug 27, 2006
    #13
  14. tony

    layer3 Guest

    The reason it is not working is because it is a standard ACL it should
    state: access-list 101 deny tcp (source IP) (destination IP) eq 23
    needs to be placed closest to the source.
     
    layer3, Aug 27, 2006
    #14
  15. tony

    Merv Guest

    Merv, Aug 27, 2006
    #15
  16. tony

    tony Guest

    Here is part of the config


    access-list 1 permit 10.10.10.5
    access-list 1 deny any
    !
    line con 0
    line vty 0 4
    access-class 1 in
    password 7 xxxxxxxxxxxx
    login
    line vty 5 15
    access-class 1 in
    login

    From host 10.10.10.5 I can telnet in.

    From host 10.10.10.6 I can still telnet in

    why?
     
    tony, Aug 28, 2006
    #16
  17. tony

    tony Guest

    edu-cer-3750A#sh access-list 1
    Standard IP access list 1
    permit 10.10.10.5
    deny any
     
    tony, Aug 28, 2006
    #17
  18. tony

    Merv Guest

    What IOS version is being used ?

    Please output of show version
     
    Merv, Aug 28, 2006
    #18
  19. tony

    tony Guest

    Cisco Internetwork Operating System Software
    IOS (tm) C3750 Software (C3750-I9-M), Version 12.1(11)AX, RELEASE SOFTWARE
    (fc3)
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Mon 21-Apr-03 11:37 by madison
    Image text-base: 0x00003000, data-base: 0x006BA6CC

    ROM: Bootstrap program is C3750 boot loader
    BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(11r)AX, RELEASE
    SOFTWARE
    (fc1)

    edu-cer-3750A uptime is 10 weeks, 3 days, 23 hours, 35 minutes
    System returned to ROM by power-on
    System restarted at 17:33:00 UTC Thu Jun 15 2006
    System image file is "flash:c3750-i9-mz.121.11-AX/c3750-i9-mz.121.11-AX.bin"

    cisco WS-C3750G-24TS-S (PowerPC405) processor (revision B0) with
    120822K/10240K
    bytes of memory.
    Processor board ID CAT0735X0X0
    Last reset from power-on
    1 Virtual Ethernet/IEEE 802.3 interface(s)
    28 Gigabit Ethernet/IEEE 802.3 interface(s)
    The password-recovery mechanism is enabled.
     
    tony, Aug 28, 2006
    #19
  20. tony

    Doan Guest

    Can you repeat the command after telneting from 10.10.10.5 and other
    hosts? I want to see if you are getting any hit on the access-list 1.

    Doan
     
    Doan, Aug 28, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.