Access List Newbie

[rmmagow]

I need to create an access list such that I can Telnet to my cisco router from the open internet from one particular address. I would want this on my serial link and do have some access lists coded there. Second, I want to do the same from inside the private network, access list on the ethernet port I would guess. I have an access list 101 that seems to apply to my external ds3 connection, and an access-list 8 for the ethernet. Essentially, I'm loking for the basic setup to code to allow a single IP address to connect to the router from outside and from inside.
Thanks for any guidance.

 

[lgarner]

For the public side:
access-list 101 permit tcp host <internet_host> host <router_ip> eq 23

For the private side:
access-list 8 permit host <inside_ip>

A standard ACL (8) can only operate on the source IP. All traffic from that IP is allowed or blocked, depending. This doesn't sould like the kind of ACL which you'd want on the inside interface.

The extended list (101) can allow/block based upon source & destination address & port and protocol.

Remember that ACLs are processed sequentially, so make sure that these rules comes before any which might block them.

 

[ChrisAC]

If it's just for limiting telnet access you could have a standard ACL that is applied to your vty 0 4 interface that would limit telnet to desired IP address no matter what interface the traffic came from, eg,

aaa authentication login collossus local
username ciscoadmin password thoushallnotpass
!
access-list 11 permit <external_IP> log
access-list 11 permit <another_IP> log
access-list 11 permit <interal_IP> log
access-list 11 deny any log
!
line vty 0 4
access-class 11 in
logging synchronous
login authentication collossus
transport input telnet
!

Chris.



**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************