access-class 1 in & out - i cannot telnet to all routers

mikey250
mikey250 used Ask the Experts™
on
hi

question 1.  i cannot telnet from machine 192.168.3.2/24  ?

task:  i would like only 192.168.3.2 telnet access (in/out of all routers)

steps taken:  i have attempted multiple different configurations but cannot seem to get it right.

                pc
    192.168.3.2/24
                |
         main-hub
      ______|_________
     |                        |
sanjose1/       sanjose2/
branch1         branch2

vista-main-hub:

access-list 1 remark (snmp remote management)
access-list 1 permit 192.168.3.2 log
!
line vty 0 4
 access-class 1 in
 access-class1 out
 password cisco1
 logging synchronous
 login local

sanjose1/branch1

access-list 1 remark (snmp remote management)
access-list 1 permit 192.168.3.2 log
!
line vty 0 4
 access-class 1 in
 access-class1 out
 password cisco1
 logging synchronous
 login local

sanjose2/branch2

!
access-list 1 remark (snmp remote management)
access-list 1 permit 192.168.3.2 log
!
line vty 0 4
 access-class 1 in
 access-class1 out
 password cisco1
 logging synchronous
 login local
vista-main-hub
sanjose1-branch1
sanjose2-branch2
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
remove the line "access-class1 out" from the VTY lines on all routers.

Edit your access list per below:

access-list 1 remark (snmp remote management)
access-list 1 permit host 192.168.3.2 log

Author

Commented:
hi so if i remove access-class 1 out - this will only allow 192.168.3.2 only to telnet to: branch1, branch2, vista-main hub n vice versa ?

Are you sure ?
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-data-acl-12-4t-book/sec-cntrl-acc-vtl.html

The access-class out is only when you telnet from the router out to another router. The 192.168.3.2 client initiates the telnet connection, so you only need the access class in command for this.

Once you do as above, then you should be able to telnet only from the 192.168.3.2 client. If there's still no connection try adding this to the vty lines "transport input all"
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
ok.  I do want 2b ab to telnet out ?
As long as you don't add the access class out, there will be no restrictions on that.

Author

Commented:
I want to know how to use the 'access-class out' ?
See the above link on that. It explains the command and provides an example.

Basically, you are limiting the devices you can telnet FROM the router. So if you wanted to limit the main hub router to only be able to telnet out to the branch routers it would look like this:

access-list 1 remark (snmp remote management)
access-list 1 permit host 192.168.3.2 log

access-list 2 remark (Only allow router initiated telnet to branch routers)
access-list 2 permit host 192.168.0.1 (or whatever the IP of Branch 1 is)
access-list 2 permit host 192.168.1.1 (or whatever the IP of Branch 2 is)
 !
 line vty 0 4
  access-class 1 in
  access-class 2 out

Now that the out is configured on the main hub, you will need to allow inbound sessions from the hub router to the branch routers

 sanjose1/branch1
 access-list 1 remark (snmp remote management)
 access-list 1 permit host 192.168.3.2 log
 access-list 1 permit host 192.168.2.1 log (or whatever the hub IP is)
 !
 line vty 0 4
  access-class 1 in

Please keep in mind here that by default the outbound interface used by the initiating router is the one closest to the destination. so you will need to put the serial IP address to be permitted.

Author

Commented:
thanks i will attempt this tomorrow.  appreciated!

Author

Commented:
192.168.3.2 - can telnet through all router connections via branch1 & branch2.

access-class out has also been removed.

Question1.  I have my snmp-server...etc only on my vista-main router & although 'sh ip route' does already show: 192.168.3.0/24 on all routers im thinking it is not needed ?

Author

Commented:
My 'snmp-server' on vista-main router allows me to see all device connections on all routers via prtg monitoring tool ok..so far.

Author

Commented:
should my 'snmp-server 192.169.3.1' be configured on all my other routers as sh ip route shows 192.168.3.0/24 on all routers anyway as stated above  ?

Author

Commented:
Sound advice appreciated!!

Author

Commented:
hi

just out of curiousity before I close and allocate these points, should my ntp servers all point to my host machine 192.168.3.2  and not 192.168.3.1 - vista-main-hub  ?
Depends which is you NTP master. Personally, I would point them to public NTP servers if possible.

You can use this site to find the closest NTP servers to you:
http://www.pool.ntp.org

And this site for configuration:
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/334-cisco-router-ntp.html

Author

Commented:
hi i have read the config link provided which is definately useful.

ip nameserver x.x.x.x - i did not realise this command is used specifically for the ntp when pointing to an external ntp  ?

my branch routers are configured to point directly to a specific machine address address off int eth0 is this correct  or should i point the branch routers to the directly connected main hub route serial interface  ?
either is ok as long as it's reachable.

Author

Commented:
Sound advice.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial