How to deny telnet with an access-list

[EDIT]: With the image you now have supplied, the access list should be placed on the router interface inbound from your ISP. Assuming Router2 is the internet connected path, placement should be made at Router1, and inbound on the interface connected to Router2 if Router2 is owned by your ISP. If Router2 is owned by you and connected to your ISP, placement should be made there.

Nội dung chính Show

QUE. What is the ACL? How does ACL works?
Summery Of Topology Diagram –

To block only telnet at the perimeter you need just two lines in the access list:

access-list 101 deny tcp any any eq 23 access-list 101 permit ip any any

I would still suggest reading the Cisco link below as it contains the rudimentary access list practice and syntax. In a design such as you have drafted, you would likely wish to block more than just telnet.

Suggested in-depth reading is:

the Cisco IOS hardening guide for your IOS versions and devices, as the design info you give indicates them as being fairly wide open to the internet, Here is one such guide for inspiration.
the excellent Firewalls for Dummies. This is not written by way of a joke or a taunt, it really is one of the best introductory books on the market for this complex topic.

Use an accesslist.

If the router has the ip address 192.168.0.10 on the e0 interface and should permit telnet just from the local subnet 192.168.0.0/24 to the e0 interface:

interface ethernet0 ip access-group 101 in ! access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.10 eq 23 access-list 101 deny tcp any any eq 23 access-list 101 permit ip any any

Note that this example would also block telnet from the 192.168.0.0/24 subnet to other devices on the far side of the router. This can easily be customized in the access list.

If you want to block telnet completely I suggest not to activate it in the first place.

Common Cisco access list entries are decribed here.

This site uses cookies. By continuing, you agree to their use. Learn more, including how to control cookies.

In this article, I will explain how we can stop access telnet by any host in a network. So stop telnet from accessing by a host of the network, I will use ACL. Why we would do that? I think you must think we want to block telnet for particular hosts or for a network. So friends block or deny hosts to access TELNET for security purposes. Yes, friends, we do this because we don’t want to give access to any unauthorized person to enter our system. So for safety reasons we filter the network traffic and allow some particular hosts to access telnet.

Friends, before moving on we must understand the concept of ACL. If you are already aware of ACL then it’s very good for you. But if you don’t know about ACL then don’t get worried, I’m here to tell you a brief knowledge of ACL so that you can understand the whole concept easily.

So let’s start with ACL –

QUE. What is the ACL? How does ACL works?

ACL stands for Access Control Lists.
ACL is a mechanism for identifying particular traffic.
In other words, ACL is an application to filter traffic into or out of a router interface.
So if we have an ACL on one router it will allow or deny services on the network.
To allow or deny any traffic on the network, we must create an access list on the router.
In the access list, we specify the hosts and networks that we want to allow and deny.
ACL either permits or denies traffic based on protocol, port number, source, destination, and time range. The range of customization is massive.

Types of ACL :

There are two types of ACL –

Standard Access Control Lists (ACLs) are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network. … Standard Access-list – These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite.
Extended Access Control Lists (ACLs) act as the gatekeeper of your network. They either permit or deny traffic based on protocol, port number, source, destination, and time range

So friends this is a brief overview of ACL and its types. Beginners must have at least this level of knowledge. Now let’s start –

Network Topology For ACL

Summery Of Topology Diagram –

In this Lab, I have 3 Cisco PT-Routers, 3 switches, and 3 Pc Clients. I Connected Router3 with the cloud from where we will access the internet. And On Router1, I will configure Telnet and ACL to block Telnet services.

Router3

Int Fa0/0 = Network 1.0.0.1/8
Int Se2/0 = Network 6.0.0.1/8
Int Se3/0 = Network 2.0.0.1/8

Router2

Int Fa0/0 = Network 4.0.0.1/8
Int Se2/0 = Network 2.0.0.2/8
Int Se3/0 = Network 3.0.0.1/8

Router1

Int Fa0/0 = Network 5.0.0.1/8
Int Se2/0 = Network 3.0.0.2/8

Allowed Networks For Telnet Access –

Network 1.0.0.0/8
Network 2.0.0.0/8
Network 3.0.0.0/8
Network 5.0.0.0/8
Network 6.0.0.0/8

Denied Network for Telnet Service –

So friends this is a brief overview of this topology. Now follow the below steps to perform this lab –

Step1. Configure the basic configuration on all routers

Step2. Give Static IP Address to all PC clients.

Step3. Do routing on the routers.

Step4. Ping all PC to other Network PC to make sure they are connected.

Step.5. Enable the Service of Telnet on Router1.

Step6. Create Standard ACL for Networks which you want to permit or deny for the service of Telnet.

Follow these 6 steps to complete this lab after these 6 steps check from all 3 networks 1.0.0.0/8, 4.0.0.0/8, and 5.0.0.0/8 that –

Can you access telnet?

All networks can access Telnet?

Which Network can’t access Telnet?

Perform this lab to answer these questions.

Now follow my commands to get the answer to the above questions.

Router 1

Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 1.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial2/0 Router(config-if)#ip address 2.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial3/0 Router(config-if)#ip address 6.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#router rip Router(config-router)#network 2.0.0.0 Router(config-router)#network 3.0.0.0 Router(config-router)#network 4.0.0.0 Router(config-router)#exit

Router 2

Router>enable Router#configure terminal Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 4.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial2/0 Router(config-if)#ip address 2.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial3/0 Router(config-if)#ip address 3.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#router rip Router(config-router)#network 2.0.0.0 Router(config-router)#network 3.0.0.0 Router(config-router)#network 4.0.0.0 Router(config-router)#exit

Router 1

Router>enable Router#configure terminal Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 5.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial2/0 Router(config-if)#ip address 3.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#router rip Router(config-router)#network 5.0.0.0 Router(config-router)#network 3.0.0.0 Router(config-router)#exit

Now it’s time to configure ACL(Access Control List) on Router 1 so that we can block Telnet service for Network 4.0.0.0/8. So let’s do this –

First, enable the service of Telnet –

Router 1

Router>enable R1#config terminal Router(config)#enable password ccna Router(config)#line vty 0 4 Router(config-line)#password telnet Router(config-line)#login Router(config-line)#exit

Now create the Access list For the Network which you want to allow or deny –

Router(config)#access-list 2 permit 1.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 2.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 3.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 5.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 6.0.0.0 0.255.255.255 Router(config)#access-list 2 deny 4.0.0.0 0.255.255.255 Router(config)#line vty 0 4 Router(config-line)#access-class 2 in Router(config-line)#exit

Friends we are done with the commands. It’s time to check the Network that which network can access Telnet and which is not?

So in the below image, I tried to log in on the router from the network 4.0.0.0/8 the PC IP add is 4.0.0.4 telnet but it refused to give access. It was because we deny the traffic from network 4.0.0.0/8 in the ACL list.

Similarly, I log in on Router From Network 1.0.0.0/8 to access. Here I can easily Telnet on Router1 because allowed this network traffic in the ACL list you can in the below the IP address of the PC client is 1.0.0.3 and it is trying to access telnet and after putting password for telnet it is able to access the telnet service form this PC.

For practical lab, please watch the video 🙂

So friends this is all about How to configure ACL To Deny Telnet/SSH From A Network On Cisco Router. Friends, if you have doubts or any queries about this post then don’t hesitate to contact me. If you like my posts please share them with your friends.