GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Telnet to loopback only posted 08/12/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Ip access list standard VTY permit %lo0%

Line vty 0 4
 Access-class VTY in
 Privilege level 15
 Transport input telnet
 login


Or 

Ip access-list extended VTP permit any host %lo0% eq 23

Line vty 0 4 
 Access-class VTY in
 Privilege level 15
 login

I think the key word of the question is to give level 15 access, the other
commands are just for completeness, and generally accomplish the same goal.

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
secondie
Sent: Friday, August 11, 2006 5:18 PM
To: Victor Cappuccio
Cc: 'ZeroFlash'; 'Patricia Loreal'; 'Cisco certification'
Subject: Re: Telnet to loopback only

For the sake of seeing why extended ACL would not work, I placed a "deny 
any any log" on access class and I noticed following in the debug:

Mar  1 00:30:32.391: %SEC-6-IPACCESSLOGP: list vty-in denied tcp 
192.168.1.32(2228) -> 0.0.0.0(23), 1 packet

why is the destination changed from 1.1.1.1 "0.0.0.0"


Another question: Seems like access-class out does not work at all. I 
tried placing deny any any, but it had no affect

Any ideas ??


**** Config as below:

ip telnet source-interface Loopback0

interface Loopback0
  ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
  ip address 192.168.1.101 255.255.255.0
  duplex auto
  speed auto
!
ip access-list extended vty-in
  permit tcp any host 1.1.1.1 eq telnet log
  deny   ip any any log
!
line vty 0 4
  access-class vty-in in
  password a
  login

end

-secondie


Victor Cappuccio wrote:
> Hi Guys,
> 
> http://www.groupstudy.com/archives/ccielab/200604/msg01295.html
> 
> Zero, that does not seems to be working 
> 
> -----Mensaje original-----
> De: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] En nombre de
> ZeroFlash
> Enviado el: Viernes, 11 de Agosto de 2006 04:13 p.m.
> Para: 'Patricia Loreal'; Cisco certification
> Asunto: RE: Telnet to loopback only
> 
> I would actually use an extended ACL stating something like this:
> 
> Access-list 100 permit tcp any host 150.1.1.1 eq 23
> Access-list 100 permit tcp any host 150.1.2.2 eq 23
> Access-list 100 permit tcp any host 150.1.3.3 eq 23
> 
> line vty 0 4
> access-class 100 in
> 
> ZeroFlash
> CCIE #16217
> 
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
> Patricia Loreal
> Sent: Friday, August 11, 2006 4:03 PM
> To: Cisco certification
> Subject: Telnet to loopback only
> 
> Dear Team!
> 
> Task says: "make telnet to loopback0 access with privilege 15", Easy
enough
> but IMO there is a catch here The Loopbacks assigned to routers are:
> 
> 150.1.1.1/32
> 150.1.2.2/32
> 150.1.3.3/32
> 
> Should I permit all loopback address range at line vty in using a standard
> access-list?
> 
> access-list 1 permit 150.1.1.1
> access-list 1 permit 150.1.2.2
> access-list 1 permit 150.1.3.3
> 
> line vty 0 4
> access-class 1 in
> 
> Opinions about this is highly appreciated
> 
> Thanks
> Patricia
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html