[EDIT]: With the image you now have supplied, the access list should be placed on the router interface inbound from your ISP. Assuming Router2 is the internet connected path, placement should be made at Router1, and inbound on the interface connected to Router2 if Router2 is owned by your ISP. If Router2 is owned by you and connected to your ISP, placement should be made there. To block only telnet at the perimeter you need just two lines in the access list: access-list 101 deny tcp any any eq 23 access-list 101 permit ip any anyI would still suggest reading the Cisco link below as it contains the rudimentary access list practice and syntax. In a design such as you have drafted, you would likely wish to block more than just telnet. Suggested in-depth reading is:
Use an accesslist. If the router has the ip address 192.168.0.10 on the e0 interface and should permit telnet just from the local subnet 192.168.0.0/24 to the e0 interface: interface ethernet0 ip access-group 101 in ! access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.10 eq 23 access-list 101 deny tcp any any eq 23 access-list 101 permit ip any anyNote that this example would also block telnet from the 192.168.0.0/24 subnet to other devices on the far side of the router. This can easily be customized in the access list. If you want to block telnet completely I suggest not to activate it in the first place. Common Cisco access list entries are decribed here.
This site uses cookies. By continuing, you agree to their use. Learn more, including how to control cookies. In this article, I will explain how we can stop access telnet by any host in a network. So stop telnet from accessing by a host of the network, I will use ACL. Why we would do that? I think you must think we want to block telnet for particular hosts or for a network. So friends block or deny hosts to access TELNET for security purposes. Yes, friends, we do this because we don’t want to give access to any unauthorized person to enter our system. So for safety reasons we filter the network traffic and allow some particular hosts to access telnet. Friends, before moving on we must understand the concept of ACL. If you are already aware of ACL then it’s very good for you. But if you don’t know about ACL then don’t get worried, I’m here to tell you a brief knowledge of ACL so that you can understand the whole concept easily. So let’s start with ACL – QUE. What is the ACL? How does ACL works?
Types of ACL : There are two types of ACL –
So friends this is a brief overview of ACL and its types. Beginners must have at least this level of knowledge. Now let’s start – Network Topology For ACLSummery Of Topology Diagram –In this Lab, I have 3 Cisco PT-Routers, 3 switches, and 3 Pc Clients. I Connected Router3 with the cloud from where we will access the internet. And On Router1, I will configure Telnet and ACL to block Telnet services. Router3
Router2
Router1
Allowed Networks For Telnet Access –
Denied Network for Telnet Service – So friends this is a brief overview of this topology. Now follow the below steps to perform this lab – Step1. Configure the basic configuration on all routersStep2. Give Static IP Address to all PC clients.Step3. Do routing on the routers.Step4. Ping all PC to other Network PC to make sure they are connected.Step.5. Enable the Service of Telnet on Router1.Step6. Create Standard ACL for Networks which you want to permit or deny for the service of Telnet.Follow these 6 steps to complete this lab after these 6 steps check from all 3 networks 1.0.0.0/8, 4.0.0.0/8, and 5.0.0.0/8 that – Can you access telnet? All networks can access Telnet? Which Network can’t access Telnet? Perform this lab to answer these questions. Now follow my commands to get the answer to the above questions. Router 1Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 1.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial2/0 Router(config-if)#ip address 2.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial3/0 Router(config-if)#ip address 6.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#router rip Router(config-router)#network 2.0.0.0 Router(config-router)#network 3.0.0.0 Router(config-router)#network 4.0.0.0 Router(config-router)#exitRouter 2Router>enable Router#configure terminal Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 4.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial2/0 Router(config-if)#ip address 2.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial3/0 Router(config-if)#ip address 3.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#router rip Router(config-router)#network 2.0.0.0 Router(config-router)#network 3.0.0.0 Router(config-router)#network 4.0.0.0 Router(config-router)#exitRouter 1Router>enable Router#configure terminal Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 5.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface Serial2/0 Router(config-if)#ip address 3.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#router rip Router(config-router)#network 5.0.0.0 Router(config-router)#network 3.0.0.0 Router(config-router)#exitNow it’s time to configure ACL(Access Control List) on Router 1 so that we can block Telnet service for Network 4.0.0.0/8. So let’s do this – First, enable the service of Telnet – Router 1Router>enable R1#config terminal Router(config)#enable password ccna Router(config)#line vty 0 4 Router(config-line)#password telnet Router(config-line)#login Router(config-line)#exitNow create the Access list For the Network which you want to allow or deny – Router(config)#access-list 2 permit 1.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 2.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 3.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 5.0.0.0 0.255.255.255 Router(config)#access-list 2 permit 6.0.0.0 0.255.255.255 Router(config)#access-list 2 deny 4.0.0.0 0.255.255.255 Router(config)#line vty 0 4 Router(config-line)#access-class 2 in Router(config-line)#exitFriends we are done with the commands. It’s time to check the Network that which network can access Telnet and which is not? So in the below image, I tried to log in on the router from the network 4.0.0.0/8 the PC IP add is 4.0.0.4 telnet but it refused to give access. It was because we deny the traffic from network 4.0.0.0/8 in the ACL list. Similarly, I log in on Router From Network 1.0.0.0/8 to access. Here I can easily Telnet on Router1 because allowed this network traffic in the ACL list you can in the below the IP address of the PC client is 1.0.0.3 and it is trying to access telnet and after putting password for telnet it is able to access the telnet service form this PC. For practical lab, please watch the video 🙂 So friends this is all about How to configure ACL To Deny Telnet/SSH From A Network On Cisco Router. Friends, if you have doubts or any queries about this post then don’t hesitate to contact me. If you like my posts please share them with your friends. |