[nsp] VTY ACL

Chris Griffin cgriffin at ufl.edu
Sun Jul 20 23:24:04 EDT 2003 

The main reason we use extended ACLs is at the end:

access-list 101 deny ip any any log

-Chris
----- Original Message ----- 
From: "Rick Burts" <r.burts at earthlink.net>
To: <d.holloway at hill.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Sunday, July 20, 2003 10:19 PM
Subject: Re: [nsp] VTY ACL


> Damien
> 
> I think you will find it much easier to accomplish what you want with a 
> standard access list.
> 
> As someone else pointed out, be very careful with in and out when you 
> apply access-class.
> 
> I went through the exercise of access-class with extended access lists 
> a long time ago, got it to work, and do not know if the behavior of IOS 
> has changed (so may or may not still be the case, but I guess it still
> works). What I found was the key in getting extended access lists 
> to work was specifying the source address as 0.0.0.0. I was really 
> puzzled at that till I thought about it a while. The access-class out 
> is working when the vty session wants to go somewhere outside, at the 
> vty it knows where it wants to go but does not yet know which interface 
> it will use to get there, so it cannot know what the source address 
> will be.
> 
> I think you can get extended access lists to work with access-class, 
> but why would you want to use a more complex solution when a simple 
> solution is available?
> 
> Rick
> 
> Damien Holloway wrote:
> > 
> > I applied an ACL to the vty interface on a router
> > 
> > access-list 101 permit tcp host 10.1.1.1 host 10.2.2.2 eq telnet
> > 
> > line vty 0 4
> >  access-class 101 in
> > 
> > and the host 10.1.1.1  **cannot** telnet to the router on 10.2.2.2
> > 
> > BUT if I do this
> > 
> > access-list 101 permit tcp host 10.1.1.1 any eq telnet
> > 
> > line vty 0 4
> >  access-class 101 in
> > 
> > and the host 10.1.1.1  **can** telnet to the router on 10.2.2.2
> > 
> > Why would the first example NOT work???
> > 
> > I am confused
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> -- 
> Rick Burts     CCIE 4615  CCSI     Email: rburts at netcraftsmen.net 
> Chesapeake NetCraftsmen            410.573.9372  (office)
> 1070 Foxcroft Run                  443.994.0675  (cell)
> Annapolis, MD 21401                WWW: http://www.netcraftsmen.net 
> 
> With 8 CCIEs on staff Chesapeake NetCraftsmen offers services in 
> network consulting and training.  Our services include Network Design, 
> Implementation, Troubleshooting as well as Network Management.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list