- Posts: 111
- Thank you received: 0
subnet mask
20 years 11 months ago #2427
by MaXiMuS
Replied by MaXiMuS on topic Re: subnet mask
hi
first of all , i dont know y have u flooded the forum with the same message ... and yes to answer ur question , access lists are meant for either the incoming traffic or the outgoing one , with respect to the router. if u say "in" , it means the access list is effective on the incoming traffic .So if u wanna stop telnet traffic into the router u simply define an incoming access list.
i hope this turns out to be helpful...
first of all , i dont know y have u flooded the forum with the same message ... and yes to answer ur question , access lists are meant for either the incoming traffic or the outgoing one , with respect to the router. if u say "in" , it means the access list is effective on the incoming traffic .So if u wanna stop telnet traffic into the router u simply define an incoming access list.
i hope this turns out to be helpful...
20 years 11 months ago #2430
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: subnet mask
First off, he probably multiple posted because the site gave a couple of errors.. we're working on fixing this. Till then tfs and I will clean things up.
Anyway think about what direction you're filtering traffic.. you're filtering traffic coming IN to the router... so thats why you filter telnet there. However I don't see why you're using access-group.. that would apply to the other interfaces.. if you're configuring the telnet access to the router you'd do something like this
line vty 0 4
access-class 10 in
login
or something similar.
Anyway think about what direction you're filtering traffic.. you're filtering traffic coming IN to the router... so thats why you filter telnet there. However I don't see why you're using access-group.. that would apply to the other interfaces.. if you're configuring the telnet access to the router you'd do something like this
line vty 0 4
access-class 10 in
login
or something similar.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2439
by indebluez
Replied by indebluez on topic Re: subnet mask
hi guys...yes i get it now....i guess i was havin a mental block...
no telnet traffic INTO the router...so we need both interfaces...
i have one more qn...on telnet
when we type in the cmd window....
line vty 0 4
login
password cisco
OR
line vty 0 4
password cisco
login
are they both the same? why passwrod n login?
no telnet traffic INTO the router...so we need both interfaces...
i have one more qn...on telnet
when we type in the cmd window....
line vty 0 4
login
password cisco
OR
line vty 0 4
password cisco
login
are they both the same? why passwrod n login?
20 years 11 months ago #2443
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: subnet mask
'login' tells the router to ask for logins
'password' sets the telnet password to be used.
By default with no password set, the router is 'no login' and will not allow telnet access.
You apply 'access-class' to the vty interfaces as opposed to 'access-group' which you apply to all the other interfaces (eth, bri, serial etc etc)
You have Lammles book ? It should be given quite simply in there. Btw the telnet labs are really really easy and a quick way to score marks simply because it involves so little configuration.. you don't have to worry about IP addressing, or calculating the right masks etc which you'll have to do on a troubleshouting or RIP lab.
'password' sets the telnet password to be used.
By default with no password set, the router is 'no login' and will not allow telnet access.
You apply 'access-class' to the vty interfaces as opposed to 'access-group' which you apply to all the other interfaces (eth, bri, serial etc etc)
You have Lammles book ? It should be given quite simply in there. Btw the telnet labs are really really easy and a quick way to score marks simply because it involves so little configuration.. you don't have to worry about IP addressing, or calculating the right masks etc which you'll have to do on a troubleshouting or RIP lab.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2449
by indebluez
Replied by indebluez on topic access-list
hi guys...jus one more qn..
this ones from testking...n i am incredibly confused..
the qn says to block telnet access into router 1 and allow everythin else...
routerA
eo 192.168.149.1
s0 192.168.199.1
routerB
e0 192.168.155.1
s0 192.168.11.1
s1 192.168.199.2
routerC
e0 192/168.165.1
192.168.11.2
so i think it should be smoethin like this
access-list 101 deny tcp any 192.168.149.1 0.0.0.0 eq telnet
access-list 101 deny tcp any 192.168.199.1 0.0.0.0 eq telnet
access-list 101 permit ip any any
interface ethernet 0
ip access-group in
interface serial 0
ip access-group in
but the sol provided gives something like this..
it denies destination address of 192.168.171.1
and 204.1....
anyone plz help....thnx a mil
this ones from testking...n i am incredibly confused..
the qn says to block telnet access into router 1 and allow everythin else...
s0 s1 s0 s1
routerA
routerB
routerC
e0 e0 e0
routerA
eo 192.168.149.1
s0 192.168.199.1
routerB
e0 192.168.155.1
s0 192.168.11.1
s1 192.168.199.2
routerC
e0 192/168.165.1
192.168.11.2
so i think it should be smoethin like this
access-list 101 deny tcp any 192.168.149.1 0.0.0.0 eq telnet
access-list 101 deny tcp any 192.168.199.1 0.0.0.0 eq telnet
access-list 101 permit ip any any
interface ethernet 0
ip access-group in
interface serial 0
ip access-group in
but the sol provided gives something like this..
it denies destination address of 192.168.171.1
and 204.1....
anyone plz help....thnx a mil
20 years 10 months ago #2454
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: subnet mask
Could you post the actual question, or a link to it, because it doesn't seem to make any sense.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.133 seconds