CCNA Certification Lab: Using Access Lists With Telnet

Comment or question?  Contact me on Twitter or Facebook!

Access lists are a great way to nail down who can and can’t telnet to a Cisco device.   Access list logic is the same as in our standard ACL and extended ACL labs, but the command to apply an ACL to VTY lines is a bit different.

In this lab, we’ll use our 172.12.123.0 /24 network:

Telnet Lab Using 172.12.123.0 /24 Network

With the following config on R1, any user can telnet to R1 with the password brewing and that user would be put straight into enable mode, courtesy of the privilege level 15 command.

R1(config)#line vty 0 4

R1(config-line)#password brewing

R1(config-line)#login

R1(config-line)#privilege level 15

I can now telnet to R1 from both R2 and R3.

R2#telnet 172.12.123.1

Trying 172.12.123.1 ... Open

User Access Verification

Password:

R1#
R3#telnet 172.12.123.1

Trying 172.12.123.1 ... Open

User Access Verification

Password:

R1#

I’ll now permit Telnet access only to 172.12.123.2, denying all others, including 172.12.123.3.   I’ll use an extended ACL that allows Telnet traffic (TCP, port 23) sourced from R2, but denies all other traffic.   I’ll also add an explicit deny ip any any so we can see the matches in show ip access-group.  Otherwise, it’s an implicit deny and we won’t see the matches.

R1(config)#access-list 101 permit tcp host 172.12.123.2 any eq 23

R1(config)#access-list 101 deny ip any any
R1#show ip access-list

Extended IP access list 101

    10 permit tcp host 172.12.123.2 any eq telnet

    20 deny ip any any

To control Telnet access with an access list, apply the ACL to the VTY lines with access-class.

R1(config)#line vty 0 4

R1(config-line)#access-class ?

  <1-199>      IP access list

  <1300-2699>  IP expanded access list

  WORD         Access-list name


R1(config-line)#access-class 101 ?

  in   Filter incoming connections

  out  Filter outgoing connections


R1(config-line)#access-class 101 in ?

  vrf-also  Same access list is applied for all VRFs

  <cr>

R1(config-line)#access-class 101 in

I can still telnet from R2 to R1…

R2#telnet 172.12.123.1

Trying 172.12.123.1 ... Open

User Access Verification

Password:

R1#

… but I can no longer do so from R3.

R3#telnet 172.12.123.1

Trying 172.12.123.1 ...

% Connection refused by remote host

The output of show ip access-list shows both the permits and the denies enforced by this ACL.   Line 20, the explicit deny, allows us to see the number of matches on that line.

R1#show ip access-list

Extended IP access list 101

  10 permit tcp host 172.12.123.2 any eq telnet (1 match)

  20 deny ip any any (1 match)

You may want to restrict some of the access some of the time, rather than all of the access all of the time.  That’s where time-based ACLs come in, and we’ll tackle those in the next installment of this CCNA ACL tutorial series.   I’ll post that on July 28, 2018.  Right now, take a look at these other tutorials, and thanks for making my work part of your certification success!

CCNA ACL Tutorial:  The Rules Of Success

CCNA ACL Tutorial:   Wildcard Masks

CCNA ACL Tutorial:   Standard Access Lists

Check out my YouTube channel, too!

CCNA And CCENT Videos On YouTube