CCNA Certification Lab: Using Access Lists With Telnet
Comment or question? Contact me on Twitter or Facebook!
Access lists are a great way to nail down who can and can’t telnet to a Cisco device. Access list logic is the same as in our standard ACL and extended ACL labs, but the command to apply an ACL to VTY lines is a bit different.
In this lab, we’ll use our 172.12.123.0 /24 network:
With the following config on R1, any user can telnet to R1 with the password brewing and that user would be put straight into enable mode, courtesy of the privilege level 15 command.
R1(config)#line vty 0 4 R1(config-line)#password brewing R1(config-line)#login R1(config-line)#privilege level 15
I can now telnet to R1 from both R2 and R3.
R2#telnet 172.12.123.1 Trying 172.12.123.1 ... Open User Access Verification Password: R1#
R3#telnet 172.12.123.1 Trying 172.12.123.1 ... Open User Access Verification Password: R1#
I’ll now permit Telnet access only to 172.12.123.2, denying all others, including 172.12.123.3. I’ll use an extended ACL that allows Telnet traffic (TCP, port 23) sourced from R2, but denies all other traffic. I’ll also add an explicit deny ip any any so we can see the matches in show ip access-group. Otherwise, it’s an implicit deny and we won’t see the matches.
R1(config)#access-list 101 permit tcp host 172.12.123.2 any eq 23 R1(config)#access-list 101 deny ip any any
R1#show ip access-list Extended IP access list 101 10 permit tcp host 172.12.123.2 any eq telnet 20 deny ip any any
To control Telnet access with an access list, apply the ACL to the VTY lines with access-class.
R1(config)#line vty 0 4 R1(config-line)#access-class ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list name R1(config-line)#access-class 101 ? in Filter incoming connections out Filter outgoing connections R1(config-line)#access-class 101 in ? vrf-also Same access list is applied for all VRFs <cr> R1(config-line)#access-class 101 in
I can still telnet from R2 to R1…
R2#telnet 172.12.123.1 Trying 172.12.123.1 ... Open User Access Verification Password: R1#
… but I can no longer do so from R3.
R3#telnet 172.12.123.1 Trying 172.12.123.1 ... % Connection refused by remote host
The output of show ip access-list shows both the permits and the denies enforced by this ACL. Line 20, the explicit deny, allows us to see the number of matches on that line.
R1#show ip access-list Extended IP access list 101 10 permit tcp host 172.12.123.2 any eq telnet (1 match) 20 deny ip any any (1 match)
You may want to restrict some of the access some of the time, rather than all of the access all of the time. That’s where time-based ACLs come in, and we’ll tackle those in the next installment of this CCNA ACL tutorial series. I’ll post that on July 28, 2018. Right now, take a look at these other tutorials, and thanks for making my work part of your certification success!
CCNA ACL Tutorial: The Rules Of Success
CCNA ACL Tutorial: Wildcard Masks
CCNA ACL Tutorial: Standard Access Lists
Check out my YouTube channel, too!