Solved: management Access list, no logic to it.

digimansam · ‎04-24-2019

Hi All,

So I'm doing a new test config on a Cisco 881 Router.

I have created four IP subnet pools, I have created four interface VLANs 1,10,20,30 with IP addresses so the router knows what subnet is what. the problem is that I can't seem to put an access-list any of the ports that will be going to a switch. The interface VLAN-10 lets me put an access list onto it to block telnet and SSH but it just keeps working it Does not do anything at all.

What I'm trying to do is only have one management subnet within VLAN 1 that is not going to be Natted to the WAN side.

Has anyone come across this before any help would be appreciated

ip source-route
!
ip dhcp excluded-address 192.168.100.0 192.168.100.9
ip dhcp excluded-address 192.168.100.64 192.168.100.69
ip dhcp excluded-address 192.168.100.128 192.168.100.139
ip dhcp excluded-address 192.168.100.192 192.168.100.200
!
ip dhcp pool VLAN-1
network 192.168.100.0 255.255.255.192
default-router 192.168.100.1
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-10
network 192.168.100.64 255.255.255.192
default-router 192.168.100.65
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-20
network 192.168.100.128 255.255.255.192
default-router 192.168.100.129
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-30
network 192.168.100.192 255.255.255.192
dns-server 8.8.8.8
default-router 192.168.100.193
lease 3

!
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.100.1 255.255.255.192
!
interface Vlan10
ip address 192.168.100.65 255.255.255.192
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.100.129 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 192.168.100.193 255.255.255.192
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
!
logging esm config
access-list 1 permit any
access-list 100 deny tcp host 192.168.100.65 eq 22 any
access-list 100 deny tcp host 192.168.100.65 eq telnet any
access-list 100 permit ip any any
!
!
line con 0
exec-timeout 60 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
transport input all
!
end

Seb Rupik · ‎04-24-2019

Hi there,

Since you are using your ACL INbound to the VLAN10 SVI, your ACL is incorrect. It should look like:

access-list 100 deny tcp any host 192.168.100.65 eq 22
access-list 100 deny tcp any host 192.168.100.65 eq telnet

...however this won't stop devices connecting to your other SVIs.

The actual solution is to configure an ACL on the VTY lines:

!
ip access-list 50 permit 192.168.100.0 255.255.255.192
!
line vty 0 4
  access-class 50 in
  transport intput ssh
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎04-24-2019