Cisco Routing/Switching – Standard ACL’s

Prevent users outside the 10.0.0.0 /8 network from managing any device inside the Corporate Network.

We are going to test this using our WAN interface, so in theory if this is setup correctly, we should not be able to Telnet nor SSH to any device in our Corporate Network.

 

Let’s create some named access lists (Standard) so we can limit the telnet access on CO-R2

CO-R2#conf t
CO-R2(config)#ip access-list standard Limit_Telnet
CO-R2(config-std-nacl)#permit 10.0.0.0 0.255.255.255
CO-R2(config-std-nacl)#

Here we have created the ACL but not assigned it to any interface, remember the wildcard mask here is basically explained quite simply below:

Meaning simply, the Zero follows the Ten. And anything else we don’t need to know about as its for the whole Ten range. If this was for the 10.1 range it would be 0.0.255.255 quite plainly.

Now we need to configure this ACL on our Vty lines:

CO-R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CO-R2(config)#line vty 0 4
CO-R2(config-line)#access-class Limit_Telnet in
CO-R2(config-line)#

We are configuring this in not out as this is for the incoming connections not outbound.

Let’s test we can telnet to it still and it works fine from CO-R1

CO-R1#telnet 10.1.0.2
Trying 10.1.0.2 ...Open
***********************************************************
THIS IS CORPORATE EQUIPMENT, YOU SHOULD ONLY BE LOGGED IN WITH PERMISSION
THOSE WITHOUT PERMISSION FACE LAWSUIT.
***********************************************************



User Access Verification

Password:

Looks fine, so let’s test it from a source interface.

CO-R1#telnet 10.1.0.2 /source-interface s0/0/0
% Connection refused by remote host
CO-R1#

This is trying to connect into via telnet using the WAN interface and is actively being refused, which is great.

 

On CO-R2 if you run the command sh access-lists you should see something similar to below:

CO-R2# show access-lists
Standard IP access list Limit_Telnet
     10 permit 10.0.0.0, wildcard bits 0.255.255.255 (2 matches)
     20 deny   any  (1 match)
CO-R2#

Just now to configure this on all the other devices, its generally easier to do a sh run and copy the ip access-list from there adding in line vty 0 4

ip access-list standard Limit_Telnet
permit 10.0.0.0 0.255.255.255
deny   any
line vty 0 4
access-class Limit_Telnet in 

 

Leave a Reply

Your email address will not be published. Required fields are marked *