access list problem

What does a "show line" say?

Doan

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 CTY - - - - - 0 0

0 -

• 1 VTY - - - - 1 15 0

0 - 2 VTY - - - - 1 4 0 0 - 3 VTY - - - - 1 0 0 0 - 4 VTY - - - - 1 0 0 0 - 5 VTY - - - - 1 0 0 0 - 6 VTY - - - - - 0 0 0 - 7 VTY - - - - - 0 0 0 - 8 VTY - - - - - 0 0 0 - 9 VTY - - - - - 0 0 0 - 10 VTY - - - - - 0 0 0 - 11 VTY - - - - - 0 0 0 - 12 VTY - - - - - 0 0 0 - 13 VTY - - - - - 0 0 0 - 14 VTY - - - - - 0 0 0 - 15 VTY - - - - - 0 0 0 - 16 VTY - - - - - 0 0

There is your problem. You have more than 5 VTY lines! Try vty 0 16 access-class 1 in

Doan

Its still does not work

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 CTY - - - - - 0 0

0 -

• 1 VTY - - - - 1 16 0

0 -

• 2 VTY - - - - 1 7 0

0 - 3 VTY - - - - 1 0 0 0 - 4 VTY - - - - 1 0 0 0 - 5 VTY - - - - 1 0 0 0 - 6 VTY - - - - 1 0 0 0 - 7 VTY - - - - 1 0 0 0 - 8 VTY - - - - 1 0 0 0 - 9 VTY - - - - 1 0 0 0 - 10 VTY - - - - 1 0 0 0 - 11 VTY - - - - 1 0 0 0 - 12 VTY - - - - 1 0 0 0 - 13 VTY - - - - 1 0 0 0 - 14 VTY - - - - 1 0 0 0 - 15 VTY - - - - 1 0 0 0 - 16 VTY - - - - 1 0 0 0 -

Can you do a "show access-list 1"?

Doan

can you even use access-class on a switch???

Yes. All of my switches use an access class on the vty lines.

Chris.

I am sorry, I am not following here: you are trying to restrict with the command "permit" and I also do not see the command deny tcp eq 23 (telnet) ....

The Dude

So when you telnet'd in from other machines, which vty line did it come in on (the vty line that has *)? Also, is there any other entries in you access-list 1?

Doan

On Sat, 26 Aug 2006, it was written:

He is permitting one host, the implicit deny at the end of every access-list will deny the rest. He is using standard access-list (1-99), not extended access-list.

Doan

Ooops, "telnet" got stuck in my mind and missed 1 in access-list 1 Thanks for the feedback!

The Dude

Your switch may have vty 0 15 defined. You should check this. And probably you the restriction only to the first 5 vty's

FW

Cisco CCO site clearly indicates that standard access lists are sufficient to control vty access

see

Here is part of the config

access-list 1 permit 10.10.10.5 access-list 1 deny any ! line con 0 line vty 0 4 access-class 1 in password 7 xxxxxxxxxxxx login line vty 5 15 access-class 1 in login

From host 10.10.10.5 I can telnet in.

From host 10.10.10.6 I can still telnet in

why?

What IOS version is being used ?

Please output of show version

Cisco Internetwork Operating System Software IOS (tm) C3750 Software (C3750-I9-M), Version 12.1(11)AX, RELEASE SOFTWARE (fc3) Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Mon 21-Apr-03 11:37 by madison Image text-base: 0x00003000, data-base: 0x006BA6CC

ROM: Bootstrap program is C3750 boot loader BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(11r)AX, RELEASE SOFTWARE (fc1)

edu-cer-3750A uptime is 10 weeks, 3 days, 23 hours, 35 minutes System returned to ROM by power-on System restarted at 17:33:00 UTC Thu Jun 15 2006 System image file is "flash:c3750-i9-mz.121.11-AX/c3750-i9-mz.121.11-AX.bin"

cisco WS-C3750G-24TS-S (PowerPC405) processor (revision B0) with

120822K/10240K bytes of memory. Processor board ID CAT0735X0X0 Last reset from power-on 1 Virtual Ethernet/IEEE 802.3 interface(s) 28 Gigabit Ethernet/IEEE 802.3 interface(s) The password-recovery mechanism is enabled.

Can you repeat the command after telneting from 10.10.10.5 and other hosts? I want to see if you are getting any hit on the access-list 1.

Doan