Stuck on ACL

Dubuku57 · 07-02-2009, 10:38 PM

Hi,

When configuring ACL on a router interface to prevent telnet traffic, i wrote this ACL list:

access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnet

access-list 101 permit any any
Router A: int eth0 (ethernet interface connects to the PCs)
Router A: ip access-group 101 in

My config is smth like this:
Router A connects to PC A(5.1.1.8/24), B(5.1.1.10/24)
Router B to PC C(5.1.2.10/2), PC D(5.1.2.20/24)
Router C to PC E(5.1.3.8/24), PC F(5.1.3.10/24)
RouterA--RouterB--RouterC

Now suddenly PC F is not able to telnet into PC B..Why is this so? Shouldnt it be just PC B not able to telnet PC E and PC F?

Thanks guys!

Danny0990 · 07-02-2009, 10:46 PM

to prevent telnet you need to apply the list to your vty

so you would be doing:

line vty 0 4
access-class _____ in
login

Forsaken_GA · 07-02-2009, 11:23 PM

without seeing your exact topology and all of the configs, I'd bet that your return traffic is getting bumped by the ACL

Dubuku57 · 07-03-2009, 12:19 AM

Hi Danny,

Doesnt this command 'access class' only apply is i want to restrict access to the router itself? But my acl is trying to restrict the telnet traffic to the PCs...Is it the same?

Actually im unabe to telnet from any PC to any PC.. do i need to set passwords on the vty lines of the routers?

Think im confusing myself...argh!

Forsaken_GA · 07-03-2009, 12:30 AM

if you're trying to telnet directly to your computers, they need to be running a telnet server to receive and process that traffic. most operating systems these days don't run a telnet daemon by default, it's something you have to enable on purpose (telnet is quite insecure, passwords are transmitted in clear text and can be sniffed on the wire, which is why ssh has replaced it for most of the world)

Setting passwords and access class on the router will only effect traffic destined for the router, not passing through it to another address

Dubuku57 · 07-03-2009, 10:49 PM

Oh! How do i find out if the telnet daemon is running on the PC? The error message when i try to telnet out is

"Connection to x.x.x.x is closed by foriegn host"(from anh PC to router) - this cus i din set the password i guess.
"Connection refused by remote host"(from PC F,C,etc to PC B,D,etc)
"Connection timed out;Remote host not responding" (from PC B to F only)

Is there any specific error message that can tell me which it is?

Thanks lot..

Forsaken_GA · 07-03-2009, 10:52 PM

while logged into that pc, drop to a command prompt and type

telnet localhost

if it tells you connection refused, you aint running a telnet daemon on that box

Dubuku57 · 07-04-2009, 12:17 PM

Oh okay, doesnt seem like telnet runs here.. Thanks!!

Dubuku57 · 07-04-2009, 12:35 PM

Since im unable to test this out, could you pls enlighten me on what the behaivour would be? Im thinking with the ACL(below), PC B wont be able to telnet PC E and F. But im wondering if PC E and F would be able to telnet into B? Like would returning traffic be blocked also(like in the case of HTTP)?

access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnet

access-list 101 permit any any
Router A: int eth0 (ethernet interface connects to the PCs)
Router A: ip access-group 101 in

Thanks again!

Dubuku57 · 07-07-2009, 11:07 PM

Any advice on returning telnet(or any other traffic) for the above problem? Thanks so much...