access-class 1 in & out - i cannot telnet to all routers

hi

question 1.  i cannot telnet from machine 192.168.3.2/24  ?

task:  i would like only 192.168.3.2 telnet access (in/out of all routers)

steps taken:  i have attempted multiple different configurations but cannot seem to get it right.

                pc
    192.168.3.2/24
                |
         main-hub
      ______|_________
     |                        |
sanjose1/       sanjose2/
branch1         branch2

vista-main-hub:

access-list 1 remark (snmp remote management)
access-list 1 permit 192.168.3.2 log
!
line vty 0 4
 access-class 1 in
 access-class1 out
 password cisco1
 logging synchronous
 login local

sanjose1/branch1

access-list 1 remark (snmp remote management)
access-list 1 permit 192.168.3.2 log
!
line vty 0 4
 access-class 1 in
 access-class1 out
 password cisco1
 logging synchronous
 login local

sanjose2/branch2

!
access-list 1 remark (snmp remote management)
access-list 1 permit 192.168.3.2 log
!
line vty 0 4
 access-class 1 in
 access-class1 out
 password cisco1
 logging synchronous
 login local
vista-main-hub
sanjose1-branch1
sanjose2-branch2
mikey250Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

agonza07Commented:
remove the line "access-class1 out" from the VTY lines on all routers.

Edit your access list per below:

access-list 1 remark (snmp remote management)
access-list 1 permit host 192.168.3.2 log

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
hi so if i remove access-class 1 out - this will only allow 192.168.3.2 only to telnet to: branch1, branch2, vista-main hub n vice versa ?

Are you sure ?
agonza07Commented:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-data-acl-12-4t-book/sec-cntrl-acc-vtl.html

The access-class out is only when you telnet from the router out to another router. The 192.168.3.2 client initiates the telnet connection, so you only need the access class in command for this.

Once you do as above, then you should be able to telnet only from the 192.168.3.2 client. If there's still no connection try adding this to the vty lines "transport input all"
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

mikey250Author Commented:
ok.  I do want 2b ab to telnet out ?
agonza07Commented:
As long as you don't add the access class out, there will be no restrictions on that.
mikey250Author Commented:
I want to know how to use the 'access-class out' ?
agonza07Commented:
See the above link on that. It explains the command and provides an example.

Basically, you are limiting the devices you can telnet FROM the router. So if you wanted to limit the main hub router to only be able to telnet out to the branch routers it would look like this:

access-list 1 remark (snmp remote management)
access-list 1 permit host 192.168.3.2 log

access-list 2 remark (Only allow router initiated telnet to branch routers)
access-list 2 permit host 192.168.0.1 (or whatever the IP of Branch 1 is)
access-list 2 permit host 192.168.1.1 (or whatever the IP of Branch 2 is)
 !
 line vty 0 4
  access-class 1 in
  access-class 2 out

Now that the out is configured on the main hub, you will need to allow inbound sessions from the hub router to the branch routers

 sanjose1/branch1
 access-list 1 remark (snmp remote management)
 access-list 1 permit host 192.168.3.2 log
 access-list 1 permit host 192.168.2.1 log (or whatever the hub IP is)
 !
 line vty 0 4
  access-class 1 in

Please keep in mind here that by default the outbound interface used by the initiating router is the one closest to the destination. so you will need to put the serial IP address to be permitted.
mikey250Author Commented:
thanks i will attempt this tomorrow.  appreciated!
mikey250Author Commented:
192.168.3.2 - can telnet through all router connections via branch1 & branch2.

access-class out has also been removed.

Question1.  I have my snmp-server...etc only on my vista-main router & although 'sh ip route' does already show: 192.168.3.0/24 on all routers im thinking it is not needed ?
mikey250Author Commented:
My 'snmp-server' on vista-main router allows me to see all device connections on all routers via prtg monitoring tool ok..so far.
mikey250Author Commented:
mikey250Author Commented:
should my 'snmp-server 192.169.3.1' be configured on all my other routers as sh ip route shows 192.168.3.0/24 on all routers anyway as stated above  ?
mikey250Author Commented:
Sound advice appreciated!!
mikey250Author Commented:
hi

just out of curiousity before I close and allocate these points, should my ntp servers all point to my host machine 192.168.3.2  and not 192.168.3.1 - vista-main-hub  ?
agonza07Commented:
Depends which is you NTP master. Personally, I would point them to public NTP servers if possible.

You can use this site to find the closest NTP servers to you:
http://www.pool.ntp.org

And this site for configuration:
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/334-cisco-router-ntp.html
mikey250Author Commented:
hi i have read the config link provided which is definately useful.

ip nameserver x.x.x.x - i did not realise this command is used specifically for the ntp when pointing to an external ntp  ?

my branch routers are configured to point directly to a specific machine address address off int eth0 is this correct  or should i point the branch routers to the directly connected main hub route serial interface  ?
agonza07Commented:
either is ok as long as it's reachable.
mikey250Author Commented:
Sound advice.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.