[c-nsp] One Entry Point into Cisco network.
David Rothera
david.rothera at gmail.com
Thu Dec 16 10:56:36 EST 2010
If you wanted to use an extended access list then you have got it the wrong way round, you have specified in access-list 111 that any host can connect to 192.168.1.1 when you should really put:
access-list 111 permit ip host 192.168.20.1 any log
And you do not need the second statement, unless you want to log denied requests, in which case your second line is correct.
On 16 Dec 2010, at 13:25, Oleg Gnedykh wrote:
> Hi Guys!
>
> I want to create a network with one entry point.
> AFIK it's a best practise for network designing.
> For example it maybe a something router with a Loopback interface.
> I've created Loop0, ACL and attached it to "line vty"
>
> interface Loopback10
> description ### Manage ###
> ip address 192.168.1.1 255.255.255.255
>
> access-list 111 permit ip any host 192.168.1.1 log
> access-list 111 deny ip any any log
>
> line vty 0 4
> access-class 111 in
>
>
> And as a result I have connection refused
> %SEC-6-IPACCESSLOGP: list 111 denied tcp 192.168.20.1(2683) -> 0.0.0.0(23), 1 packet
> There is 192.168.20.1 is a local address for on my PC.
>
> What can I do anything???
>
> With best regards, Oleg.
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list